Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2233234/?format=api
{ "id": 2233234, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2233234/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260505213606.3873472-2-ju.o@free.fr/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/1.1/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260505213606.3873472-2-ju.o@free.fr>", "date": "2026-05-05T21:36:05", "name": "[2/2] boot/grub2: bump to version 2.14", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "1c1d16763d3b6745c25173afcb2bb64d40268344", "submitter": { "id": 80537, "url": "http://patchwork.ozlabs.org/api/1.1/people/80537/?format=api", "name": "Julien Olivain", "email": "ju.o@free.fr" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260505213606.3873472-2-ju.o@free.fr/mbox/", "series": [ { "id": 502900, "url": "http://patchwork.ozlabs.org/api/1.1/series/502900/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=502900", "date": "2026-05-05T21:36:04", "name": "[1/2] board/pc/linux.config: enable CONFIG_EFI_STUB", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/502900/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2233234/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2233234/checks/", "tags": {}, "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=H8GEetb5;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g9BfX5Xjdz1yJV\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Wed, 06 May 2026 07:36:36 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id AF45460BB1;\n\tTue, 5 May 2026 21:36:34 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Uozy_ZQkHbZU; Tue, 5 May 2026 21:36:31 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 852C360BAB;\n\tTue, 5 May 2026 21:36:31 +0000 (UTC)", "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists1.osuosl.org (Postfix) with ESMTP id B4330315\n for <buildroot@buildroot.org>; Tue, 5 May 2026 21:36:30 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 9BFBA60BA4\n for <buildroot@buildroot.org>; Tue, 5 May 2026 21:36:30 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id qWF1ot1vLnGN for <buildroot@buildroot.org>;\n Tue, 5 May 2026 21:36:28 +0000 (UTC)", "from smtp5-g21.free.fr (smtp5-g21.free.fr [212.27.42.5])\n by smtp3.osuosl.org (Postfix) with ESMTPS id F25F060BAB\n for <buildroot@buildroot.org>; Tue, 5 May 2026 21:36:26 +0000 (UTC)", "from home.juju.sh (unknown\n [IPv6:2a01:e0a:1065:2100:52d9:65fe:2df3:c492])\n (Authenticated sender: ju.o@free.fr)\n by smtp5-g21.free.fr (Postfix) with ESMTPSA id 24C835FFB4;\n Tue, 5 May 2026 23:36:20 +0200 (CEST)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 852C360BAB", "OpenDKIM Filter v2.11.0 smtp3.osuosl.org F25F060BAB" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1778016991;\n\tbh=EBGLgdkBEhZnd79mqaJQ4K9H4UQA5OXWyv31nSZD3bU=;\n\th=To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=H8GEetb5KFmvvAz1O0wvn931ZVQTGneQLPo+Kq3pUgrvnIG72pOBpbTMZB9hJcvYT\n\t xqNyuBIaA0wajPSLm9nh8JjPlHWJBjfjQE8DlTiHx3+EQq7Oud40nu+EXHyAn9VwcC\n\t Tit97voXLjfADIeF+sZvvfYtFPiyzZhDu8IHduq/5Adf7WaBs+nQb4lzoCv6zBcaGB\n\t yx7XRqyRNmBv1gL/11f9A/idcr3hjoXY7v/VDiI9X+fp7NJ8zJ1ytUfzMx3quocPL3\n\t MDQzHHfEz18VI8N4hAPIiwtx3HgxT3uVsC3YcjU4hKYuXaZxIXY6p9nHH587DoxpXX\n\t xopZLfJSIK28w==", "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=212.27.42.5;\n helo=smtp5-g21.free.fr; envelope-from=ju.o@free.fr; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp3.osuosl.org F25F060BAB", "To": "buildroot@buildroot.org", "Cc": "Dick Olsson <hi@senzilla.io>,\n Thomas Petazzoni <thomas.petazzoni@bootlin.com>,\n Julien Olivain <ju.o@free.fr>", "Date": "Tue, 5 May 2026 23:36:05 +0200", "Message-ID": "<20260505213606.3873472-2-ju.o@free.fr>", "X-Mailer": "git-send-email 2.54.0", "In-Reply-To": "<20260505213606.3873472-1-ju.o@free.fr>", "References": "<20260505213606.3873472-1-ju.o@free.fr>", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple;\n d=free.fr; s=smtp-20201208; t=1778016985;\n bh=t+pifG336bXHiA00QaPMLS27nAZYLStLMmIaMOCC3Sk=;\n h=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n b=AaQJesL1RhLDkAm30boqluEKeyHxl3F54XR7Ew2c+T2XI1wWRAsDrFnxd5m3Q6OqH\n lFFkdopHWQA1CD2IIffizbOd8iLNWnPWCbCElv3ib/6z935U4eE4fwurwoQkKcHTxg\n Fzey8UGQ0TNO+rJ/WsBRU7US8TSKyso6DTwg6mA8UZMxe7kIHHX99W2kaCQWDKJ4TS\n sOeJDemKIBl0ZA9PcyuXVA+CXNkVqjds+jN5td7/oeTrSlglDDsYVZvLMYUZhpGEpB\n a1s6m2AieEWcXi4e627/6x6Gd858eCYIHPlJswdTuJutgCy8HVql8oqI8y+K6TKICr\n /u0G0M29s3wLg==", "X-Mailman-Original-Authentication-Results": [ "smtp3.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=free.fr", "smtp3.osuosl.org;\n dkim=pass (2048-bit key) header.d=free.fr header.i=@free.fr\n header.a=rsa-sha256 header.s=smtp-20201208 header.b=AaQJesL1" ], "Subject": "[Buildroot] [PATCH 2/2] boot/grub2: bump to version 2.14", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Julien Olivain via buildroot <buildroot@buildroot.org>", "Reply-To": "Julien Olivain <ju.o@free.fr>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "For release announce on mailing list, see [1].\nFor release general news, see [2].\n\nThis commit removes all package patches as they are all included in\nthis version, except patch #74 for which an alternate fix is included\nin this new version in commit [3].\n\nTested by compiling and booting the defconfigs using grub2:\n\nqemu_aarch64_sbsa_defconfig\nqemu_arm_ebbr_defconfig\nqemu_loongarch64_virt_efi_defconfig\nqemu_riscv64_virt_efi_defconfig\npc_x86_64_bios_defconfig\npc_x86_64_efi_defconfig\n\nand running the tests:\n\n support/testing/run-tests \\\n -d dl -o output_folder \\\n tests.boot.test_grub \\\n tests.fs.test_iso9660\n\n[1] https://lists.gnu.org/archive/html/grub-devel/2026-01/msg00029.html\n[2] https://gitlab.freedesktop.org/gnu-grub/grub/-/blob/grub-2.14/NEWS\n[3] https://gitlab.freedesktop.org/gnu-grub/grub/-/commit/0739d24cd1648531d0708d1079ff6bbfa6140268\n\nSigned-off-by: Julien Olivain <ju.o@free.fr>\n---\n ...-core-extra_deps.lst-file-in-release.patch | 37 --\n .../0002-misc-Implement-grub_strlcpy.patch | 70 ---\n .../0003-fs-ufs-Fix-a-heap-OOB-write.patch | 36 --\n ...Fix-stack-OOB-write-with-grub_strcpy.patch | 36 --\n ...itialize-name-in-grub_cpio_find_file.patch | 45 --\n ...ger-overflow-leads-to-heap-OOB-write.patch | 94 ---\n ...f2fs-Set-a-grub_errno-if-mount-fails.patch | 36 --\n ...plus-Set-a-grub_errno-if-mount-fails.patch | 40 --\n ...9660-Set-a-grub_errno-if-mount-fails.patch | 38 --\n .../0010-fs-iso9660-Fix-invalid-free.patch | 55 --\n ...11-fs-jfs-Fix-OOB-read-in-jfs_getent.patch | 68 ---\n ...ead-caused-by-invalid-dir-slot-index.patch | 69 ---\n ...40-bits-offset-and-address-for-a-dat.patch | 133 -----\n ...ent-signed-unsigned-types-usage-in-r.patch | 90 ---\n ...ut-of-bounds-read-for-inline-extents.patch | 51 --\n .../0016-fs-xfs-Fix-out-of-bounds-read.patch | 48 --\n ...g-failing-to-mount-sets-a-grub_errno.patch | 47 --\n ...18-kern-file-Ensure-file-data-is-set.patch | 37 --\n ...lement-filesystem-reference-counting.patch | 449 --------------\n ...-Reference-tracking-for-the-loopback.patch | 108 ----\n ...0021-kern-disk-Limit-recursion-depth.patch | 125 ----\n ...tion-Limit-recursion-in-part_iterate.patch | 49 --\n ...pt-execute-Limit-the-recursion-depth.patch | 60 --\n ...et_default_ip-and-net_default_mac-va.patch | 34 --\n ...bles-hooks-when-interface-is-unregis.patch | 93 ---\n ...write-in-grub_net_search_config_file.patch | 89 ---\n ...x-stack-buffer-overflow-in-tftp_open.patch | 120 ----\n ...eg-Do-not-permit-duplicate-SOF0-mark.patch | 38 --\n ...r-an-integer-overflow-in-grub_dl_ref.patch | 143 -----\n ...r-the-SHF_INFO_LINK-flag-in-grub_dl_.patch | 46 --\n ...-Missing-check-for-failed-allocation.patch | 39 --\n ...032-commands-ls-Fix-NULL-dereference.patch | 37 --\n ...egister-the-check_signatures-hooks-o.patch | 36 --\n ...ove-variables-hooks-on-module-unload.patch | 42 --\n ...ove-variables-hooks-on-module-unload.patch | 39 --\n ...overflow-leads-to-heap-OOB-write-or-.patch | 40 --\n ...ger-overflow-leads-to-heap-OOB-write.patch | 58 --\n ...x-an-integer-overflow-when-supplying.patch | 74 ---\n ...ack-overflow-due-to-unlimited-recurs.patch | 88 ---\n ...-Block-the-dump-command-in-lockdown-.patch | 38 --\n ...isable-memory-reading-in-lockdown-mo.patch | 55 --\n ...-Disable-memory-reading-in-lockdown-.patch | 42 --\n .../0043-fs-bfs-Disable-under-lockdown.patch | 57 --\n ...able-many-filesystems-under-lockdown.patch | 396 -------------\n ...afe-math-macros-to-prevent-overflows.patch | 551 ------------------\n ...rflows-when-allocating-memory-for-ar.patch | 47 --\n ...turned-pointer-for-allocated-memory-.patch | 157 -----\n ...disk-Call-grub_ieee1275_close-when-g.patch | 36 --\n ...afe-math-macros-to-prevent-overflows.patch | 362 ------------\n ...lows-when-allocating-memory-for-arra.patch | 87 ---\n ...lows-when-assigning-returned-values-.patch | 110 ----\n ...afe-math-macros-to-prevent-overflows.patch | 143 -----\n ...verflows-when-allocating-memory-for-.patch | 45 --\n ...returned-pointer-for-allocated-memor.patch | 93 ---\n ...ng-NULL-check-after-grub_strdup-call.patch | 29 -\n ...afe-math-macros-to-prevent-overflows.patch | 250 --------\n ...flows-when-allocating-memory-for-arr.patch | 50 --\n ...urned-pointer-for-allocated-memory-i.patch | 36 --\n ...fs-Check-if-allocated-memory-is-NULL.patch | 37 --\n ...ix-potential-underflow-and-NULL-dere.patch | 37 --\n ...unix-getroot-Fix-potential-underflow.patch | 40 --\n ...e-consistent-overflow-error-messages.patch | 60 --\n ...ine-GRUB_EHCI_TOGGLE-as-grub_uint32_.patch | 35 --\n ...safe-math-to-avoid-an-integer-overfl.patch | 46 --\n ...dd-sanity-check-after-grub_strtoul-c.patch | 51 --\n ...sanity-check-after-grub_strtoul-call.patch | 62 --\n ...nux-Cast-left-shift-to-grub_uint32_t.patch | 35 --\n ...bsd-Use-safe-math-to-avoid-underflow.patch | 61 --\n ...ut-of-bounds-read-for-inline-and-ext.patch | 69 ---\n ...xfs_iterate_dir-return-value-in-case.patch | 53 --\n ...-incorrect-inode-error-from-grub_xfs.patch | 77 ---\n ...ot-inode-read-failure-in-grub_xfs_mo.patch | 29 -\n ...ee1275-ofnet-Add-missing-grub_malloc.patch | 36 --\n ...074-Constant-time-grub_crypto_memcmp.patch | 64 --\n boot/grub2/grub2.hash | 4 +-\n boot/grub2/grub2.mk | 33 +-\n 76 files changed, 3 insertions(+), 6247 deletions(-)\n delete mode 100644 boot/grub2/0001-Add-missing-grub-core-extra_deps.lst-file-in-release.patch\n delete mode 100644 boot/grub2/0002-misc-Implement-grub_strlcpy.patch\n delete mode 100644 boot/grub2/0003-fs-ufs-Fix-a-heap-OOB-write.patch\n delete mode 100644 boot/grub2/0004-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch\n delete mode 100644 boot/grub2/0005-fs-tar-Initialize-name-in-grub_cpio_find_file.patch\n delete mode 100644 boot/grub2/0006-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch\n delete mode 100644 boot/grub2/0007-fs-f2fs-Set-a-grub_errno-if-mount-fails.patch\n delete mode 100644 boot/grub2/0008-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch\n delete mode 100644 boot/grub2/0009-fs-iso9660-Set-a-grub_errno-if-mount-fails.patch\n delete mode 100644 boot/grub2/0010-fs-iso9660-Fix-invalid-free.patch\n delete mode 100644 boot/grub2/0011-fs-jfs-Fix-OOB-read-in-jfs_getent.patch\n delete mode 100644 boot/grub2/0012-fs-jfs-Fix-OOB-read-caused-by-invalid-dir-slot-index.patch\n delete mode 100644 boot/grub2/0013-fs-jfs-Use-full-40-bits-offset-and-address-for-a-dat.patch\n delete mode 100644 boot/grub2/0014-fs-jfs-Inconsistent-signed-unsigned-types-usage-in-r.patch\n delete mode 100644 boot/grub2/0015-fs-ext2-Fix-out-of-bounds-read-for-inline-extents.patch\n delete mode 100644 boot/grub2/0016-fs-xfs-Fix-out-of-bounds-read.patch\n delete mode 100644 boot/grub2/0017-fs-xfs-Ensuring-failing-to-mount-sets-a-grub_errno.patch\n delete mode 100644 boot/grub2/0018-kern-file-Ensure-file-data-is-set.patch\n delete mode 100644 boot/grub2/0019-kern-file-Implement-filesystem-reference-counting.patch\n delete mode 100644 boot/grub2/0020-disk-loopback-Reference-tracking-for-the-loopback.patch\n delete mode 100644 boot/grub2/0021-kern-disk-Limit-recursion-depth.patch\n delete mode 100644 boot/grub2/0022-kern-partition-Limit-recursion-in-part_iterate.patch\n delete mode 100644 boot/grub2/0023-script-execute-Limit-the-recursion-depth.patch\n delete mode 100644 boot/grub2/0024-net-Unregister-net_default_ip-and-net_default_mac-va.patch\n delete mode 100644 boot/grub2/0025-net-Remove-variables-hooks-when-interface-is-unregis.patch\n delete mode 100644 boot/grub2/0026-net-Fix-OOB-write-in-grub_net_search_config_file.patch\n delete mode 100644 boot/grub2/0027-net-tftp-Fix-stack-buffer-overflow-in-tftp_open.patch\n delete mode 100644 boot/grub2/0028-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch\n delete mode 100644 boot/grub2/0029-kern-dl-Fix-for-an-integer-overflow-in-grub_dl_ref.patch\n delete mode 100644 boot/grub2/0030-kern-dl-Check-for-the-SHF_INFO_LINK-flag-in-grub_dl_.patch\n delete mode 100644 boot/grub2/0031-commands-extcmd-Missing-check-for-failed-allocation.patch\n delete mode 100644 boot/grub2/0032-commands-ls-Fix-NULL-dereference.patch\n delete mode 100644 boot/grub2/0033-commands-pgp-Unregister-the-check_signatures-hooks-o.patch\n delete mode 100644 boot/grub2/0034-normal-Remove-variables-hooks-on-module-unload.patch\n delete mode 100644 boot/grub2/0035-gettext-Remove-variables-hooks-on-module-unload.patch\n delete mode 100644 boot/grub2/0036-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch\n delete mode 100644 boot/grub2/0037-gettext-Integer-overflow-leads-to-heap-OOB-write.patch\n delete mode 100644 boot/grub2/0038-commands-read-Fix-an-integer-overflow-when-supplying.patch\n delete mode 100644 boot/grub2/0039-commands-test-Stack-overflow-due-to-unlimited-recurs.patch\n delete mode 100644 boot/grub2/0040-commands-minicmd-Block-the-dump-command-in-lockdown-.patch\n delete mode 100644 boot/grub2/0041-commands-memrw-Disable-memory-reading-in-lockdown-mo.patch\n delete mode 100644 boot/grub2/0042-commands-hexdump-Disable-memory-reading-in-lockdown-.patch\n delete mode 100644 boot/grub2/0043-fs-bfs-Disable-under-lockdown.patch\n delete mode 100644 boot/grub2/0044-fs-Disable-many-filesystems-under-lockdown.patch\n delete mode 100644 boot/grub2/0045-disk-Use-safe-math-macros-to-prevent-overflows.patch\n delete mode 100644 boot/grub2/0046-disk-Prevent-overflows-when-allocating-memory-for-ar.patch\n delete mode 100644 boot/grub2/0047-disk-Check-if-returned-pointer-for-allocated-memory-.patch\n delete mode 100644 boot/grub2/0048-disk-ieee1275-ofdisk-Call-grub_ieee1275_close-when-g.patch\n delete mode 100644 boot/grub2/0049-fs-Use-safe-math-macros-to-prevent-overflows.patch\n delete mode 100644 boot/grub2/0050-fs-Prevent-overflows-when-allocating-memory-for-arra.patch\n delete mode 100644 boot/grub2/0051-fs-Prevent-overflows-when-assigning-returned-values-.patch\n delete mode 100644 boot/grub2/0052-fs-zfs-Use-safe-math-macros-to-prevent-overflows.patch\n delete mode 100644 boot/grub2/0053-fs-zfs-Prevent-overflows-when-allocating-memory-for-.patch\n delete mode 100644 boot/grub2/0054-fs-zfs-Check-if-returned-pointer-for-allocated-memor.patch\n delete mode 100644 boot/grub2/0055-fs-zfs-Add-missing-NULL-check-after-grub_strdup-call.patch\n delete mode 100644 boot/grub2/0056-net-Use-safe-math-macros-to-prevent-overflows.patch\n delete mode 100644 boot/grub2/0057-net-Prevent-overflows-when-allocating-memory-for-arr.patch\n delete mode 100644 boot/grub2/0058-net-Check-if-returned-pointer-for-allocated-memory-i.patch\n delete mode 100644 boot/grub2/0059-fs-sfs-Check-if-allocated-memory-is-NULL.patch\n delete mode 100644 boot/grub2/0060-script-execute-Fix-potential-underflow-and-NULL-dere.patch\n delete mode 100644 boot/grub2/0061-osdep-unix-getroot-Fix-potential-underflow.patch\n delete mode 100644 boot/grub2/0062-misc-Ensure-consistent-overflow-error-messages.patch\n delete mode 100644 boot/grub2/0063-bus-usb-ehci-Define-GRUB_EHCI_TOGGLE-as-grub_uint32_.patch\n delete mode 100644 boot/grub2/0064-normal-menu-Use-safe-math-to-avoid-an-integer-overfl.patch\n delete mode 100644 boot/grub2/0065-kern-partition-Add-sanity-check-after-grub_strtoul-c.patch\n delete mode 100644 boot/grub2/0066-kern-misc-Add-sanity-check-after-grub_strtoul-call.patch\n delete mode 100644 boot/grub2/0067-loader-i386-linux-Cast-left-shift-to-grub_uint32_t.patch\n delete mode 100644 boot/grub2/0068-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch\n delete mode 100644 boot/grub2/0069-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch\n delete mode 100644 boot/grub2/0070-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch\n delete mode 100644 boot/grub2/0071-fs-xfs-Propagate-incorrect-inode-error-from-grub_xfs.patch\n delete mode 100644 boot/grub2/0072-fs-xfs-Handle-root-inode-read-failure-in-grub_xfs_mo.patch\n delete mode 100644 boot/grub2/0073-net-drivers-ieee1275-ofnet-Add-missing-grub_malloc.patch\n delete mode 100644 boot/grub2/0074-Constant-time-grub_crypto_memcmp.patch", "diff": "diff --git a/boot/grub2/0001-Add-missing-grub-core-extra_deps.lst-file-in-release.patch b/boot/grub2/0001-Add-missing-grub-core-extra_deps.lst-file-in-release.patch\ndeleted file mode 100644\nindex 2a7c206b2d..0000000000\n--- a/boot/grub2/0001-Add-missing-grub-core-extra_deps.lst-file-in-release.patch\n+++ /dev/null\n@@ -1,37 +0,0 @@\n-From 4d4dae6a52b1749642261a15f5dcc1e3d4150b36 Mon Sep 17 00:00:00 2001\n-From: Julien Olivain <ju.o@free.fr>\n-Date: Fri, 22 Dec 2023 19:02:53 +0100\n-Subject: [PATCH] Add missing grub-core/extra_deps.lst file in release tarball\n-\n-A file is missing in the grub-2.12 release tarballs (both .gz and .xz).\n-See [1]. The issue was reported in [2] and fixed upstream in [3].\n-\n-This patch adds the missing file, on top of the release tarball. This\n-patch won't apply on upstream git, since the file is present in the\n-source repository. Since the issue is fixed upstream in [3], it is\n-expected upcoming releases tarballs will include the file.\n-\n-The file content was fetched from the upstream git repo:\n-https://git.savannah.gnu.org/gitweb/?p=grub.git;a=blob_plain;f=grub-core/extra_deps.lst;hb=refs/tags/grub-2.12\n-\n-[1] https://ftp.gnu.org/gnu/grub/grub-2.12.tar.xz\n-[2] https://lists.gnu.org/archive/html/grub-devel/2023-12/msg00054.html\n-[3] https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b835601c7639ed1890f2d3db91900a8506011a8e\n-\n-Signed-off-by: Julien Olivain <ju.o@free.fr>\n-Upstream: Fixed by: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b835601c7639ed1890f2d3db91900a8506011a8e\n----\n- grub-core/extra_deps.lst | 1 +\n- 1 file changed, 1 insertion(+)\n- create mode 100644 grub-core/extra_deps.lst\n-\n-diff --git a/grub-core/extra_deps.lst b/grub-core/extra_deps.lst\n-new file mode 100644\n-index 0000000..f44ad6a\n---- /dev/null\n-+++ b/grub-core/extra_deps.lst\n-@@ -0,0 +1 @@\n-+depends bli part_gpt\n--- \n-2.43.0\n-\ndiff --git a/boot/grub2/0002-misc-Implement-grub_strlcpy.patch b/boot/grub2/0002-misc-Implement-grub_strlcpy.patch\ndeleted file mode 100644\nindex f512df4440..0000000000\n--- a/boot/grub2/0002-misc-Implement-grub_strlcpy.patch\n+++ /dev/null\n@@ -1,70 +0,0 @@\n-From 67241595d3dae392589ee74b65cd40ea090d1837 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sat, 15 Jun 2024 02:33:08 +0100\n-Subject: [PATCH] misc: Implement grub_strlcpy()\n-\n-grub_strlcpy() acts the same way as strlcpy() does on most *NIX,\n-returning the length of src and ensuring dest is always NUL\n-terminated except when size is 0.\n-\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: ea703528a8581a2ea7e0bad424a70fdf0aec7d8f\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++\n- 1 file changed, 39 insertions(+)\n-\n-diff --git a/include/grub/misc.h b/include/grub/misc.h\n-index 1b35a167f..103175480 100644\n---- a/include/grub/misc.h\n-+++ b/include/grub/misc.h\n-@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src)\n- return d - 1;\n- }\n- \n-+static inline grub_size_t\n-+grub_strlcpy (char *dest, const char *src, grub_size_t size)\n-+{\n-+ char *d = dest;\n-+ grub_size_t res = 0;\n-+ /*\n-+ * We do not subtract one from size here to avoid dealing with underflowing\n-+ * the value, which is why to_copy is always checked to be greater than one\n-+ * throughout this function.\n-+ */\n-+ grub_size_t to_copy = size;\n-+\n-+ /* Copy size - 1 bytes to dest. */\n-+ if (to_copy > 1)\n-+ while ((*d++ = *src++) != '\\0' && ++res && --to_copy > 1)\n-+ ;\n-+\n-+ /*\n-+ * NUL terminate if size != 0. The previous step may have copied a NUL byte\n-+ * if it reached the end of the string, but we know dest[size - 1] must always\n-+ * be a NUL byte.\n-+ */\n-+ if (size != 0)\n-+ dest[size - 1] = '\\0';\n-+\n-+ /* If there is still space in dest, but are here, we reached the end of src. */\n-+ if (to_copy > 1)\n-+ return res;\n-+\n-+ /*\n-+ * If we haven't reached the end of the string, iterate through to determine\n-+ * the strings total length.\n-+ */\n-+ while (*src++ != '\\0' && ++res)\n-+ ;\n-+\n-+ return res;\n-+}\n-+\n- /* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */\n- static inline void *\n- grub_memcpy (void *dest, const void *src, grub_size_t n)\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0003-fs-ufs-Fix-a-heap-OOB-write.patch b/boot/grub2/0003-fs-ufs-Fix-a-heap-OOB-write.patch\ndeleted file mode 100644\nindex 0d822cba24..0000000000\n--- a/boot/grub2/0003-fs-ufs-Fix-a-heap-OOB-write.patch\n+++ /dev/null\n@@ -1,36 +0,0 @@\n-From ab0f52dadcda56782b3e82be0b15fa6eb0e9cee1 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 02:03:33 +0100\n-Subject: [PATCH] fs/ufs: Fix a heap OOB write\n-\n-grub_strcpy() was used to copy a symlink name from the filesystem\n-image to a heap allocated buffer. This led to a OOB write to adjacent\n-heap allocations. Fix by using grub_strlcpy().\n-\n-Fixes: CVE-2024-45781\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/ufs.c | 2 +-\n- 1 file changed, 1 insertion(+), 1 deletion(-)\n-\n-diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c\n-index a354c92d9..01235101b 100644\n---- a/grub-core/fs/ufs.c\n-+++ b/grub-core/fs/ufs.c\n-@@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino)\n- /* Check against zero is paylindromic, no need to swap. */\n- if (data->inode.nblocks == 0\n- && INODE_SIZE (data) <= sizeof (data->inode.symlink))\n-- grub_strcpy (symlink, (char *) data->inode.symlink);\n-+ grub_strlcpy (symlink, (char *) data->inode.symlink, sz);\n- else\n- {\n- if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0)\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0004-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch b/boot/grub2/0004-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch\ndeleted file mode 100644\nindex 3cffc80530..0000000000\n--- a/boot/grub2/0004-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch\n+++ /dev/null\n@@ -1,36 +0,0 @@\n-From 157e6e2a3da139dc2e08cf41b49115965cdaa1d3 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 02:48:33 +0100\n-Subject: [PATCH] fs/hfs: Fix stack OOB write with grub_strcpy()\n-\n-Replaced with grub_strlcpy().\n-\n-CVE: CVE-2024-45782\n-CVE: CVE-2024-56737\n-Fixes: https://savannah.gnu.org/bugs/?66599\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 417547c10410b714e43f08f74137c24015f8f4c3\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/hfs.c | 2 +-\n- 1 file changed, 1 insertion(+), 1 deletion(-)\n-\n-diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c\n-index 91dc0e69c..920112b03 100644\n---- a/grub-core/fs/hfs.c\n-+++ b/grub-core/fs/hfs.c\n-@@ -379,7 +379,7 @@ grub_hfs_mount (grub_disk_t disk)\n- volume name. */\n- key.parent_dir = grub_cpu_to_be32_compile_time (1);\n- key.strlen = data->sblock.volname[0];\n-- grub_strcpy ((char *) key.str, (char *) (data->sblock.volname + 1));\n-+ grub_strlcpy ((char *) key.str, (char *) (data->sblock.volname + 1), sizeof (key.str));\n- \n- if (grub_hfs_find_node (data, (char *) &key, data->cat_root,\n- \t\t\t 0, (char *) &dir, sizeof (dir)) == 0)\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0005-fs-tar-Initialize-name-in-grub_cpio_find_file.patch b/boot/grub2/0005-fs-tar-Initialize-name-in-grub_cpio_find_file.patch\ndeleted file mode 100644\nindex 444c02c44f..0000000000\n--- a/boot/grub2/0005-fs-tar-Initialize-name-in-grub_cpio_find_file.patch\n+++ /dev/null\n@@ -1,45 +0,0 @@\n-From 2233c409ada20d1ab4a6a00a50cdde35e5a36589 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 02:47:54 +0100\n-Subject: [PATCH] fs/tar: Initialize name in grub_cpio_find_file()\n-\n-It was possible to iterate through grub_cpio_find_file() without\n-allocating name and not setting mode to GRUB_ARCHELP_ATTR_END, which\n-would cause the uninitialized value for name to be used as an argument\n-for canonicalize() in grub_archelp_dir().\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 2c8ac08c99466c0697f704242363fc687f492a0d\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/tar.c | 5 +++++\n- 1 file changed, 5 insertions(+)\n-\n-diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c\n-index c551ed6b5..646bce5eb 100644\n---- a/grub-core/fs/tar.c\n-+++ b/grub-core/fs/tar.c\n-@@ -78,6 +78,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- int reread = 0, have_longname = 0, have_longlink = 0;\n- \n- data->hofs = data->next_hofs;\n-+ *name = NULL;\n- \n- for (reread = 0; reread < 3; reread++)\n- {\n-@@ -202,6 +203,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- \t}\n- return GRUB_ERR_NONE;\n- }\n-+\n-+ if (*name == NULL)\n-+ return grub_error (GRUB_ERR_BAD_FS, \"invalid tar archive\");\n-+\n- return GRUB_ERR_NONE;\n- }\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0006-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch b/boot/grub2/0006-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch\ndeleted file mode 100644\nindex 9d89bcd48f..0000000000\n--- a/boot/grub2/0006-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch\n+++ /dev/null\n@@ -1,94 +0,0 @@\n-From 472e180b6aac8cb4f25affa687e68f9be4e3df79 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Fri, 22 Nov 2024 06:27:58 +0000\n-Subject: [PATCH] fs/tar: Integer overflow leads to heap OOB write\n-\n-Both namesize and linksize are derived from hd.size, a 12-digit octal\n-number parsed by read_number(). Later direct arithmetic calculation like\n-\"namesize + 1\" and \"linksize + 1\" may exceed the maximum value of\n-grub_size_t leading to heap OOB write. This patch fixes the issue by\n-using grub_add() and checking for an overflow.\n-\n-CVE: CVE-2024-45780\n-\n-Reported-by: Nils Langius <nils@langius.de>\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>\n-Upstream: 0087bc6902182fe5cedce2d034c75a79cf6dd4f3\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/tar.c | 23 ++++++++++++++++++-----\n- 1 file changed, 18 insertions(+), 5 deletions(-)\n-\n-diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c\n-index 646bce5eb..386c09022 100644\n---- a/grub-core/fs/tar.c\n-+++ b/grub-core/fs/tar.c\n-@@ -25,6 +25,7 @@\n- #include <grub/mm.h>\n- #include <grub/dl.h>\n- #include <grub/i18n.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- {\n- struct head hd;\n- int reread = 0, have_longname = 0, have_longlink = 0;\n-+ grub_size_t sz;\n- \n- data->hofs = data->next_hofs;\n- *name = NULL;\n-@@ -98,7 +100,11 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- \t{\n- \t grub_err_t err;\n- \t grub_size_t namesize = read_number (hd.size, sizeof (hd.size));\n--\t *name = grub_malloc (namesize + 1);\n-+\n-+\t if (grub_add (namesize, 1, &sz))\n-+\t return grub_error (GRUB_ERR_BAD_FS, N_(\"name size overflow\"));\n-+\n-+\t *name = grub_malloc (sz);\n- \t if (*name == NULL)\n- \t return grub_errno;\n- \t err = grub_disk_read (data->disk, 0,\n-@@ -118,15 +124,19 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- \t{\n- \t grub_err_t err;\n- \t grub_size_t linksize = read_number (hd.size, sizeof (hd.size));\n--\t if (data->linkname_alloc < linksize + 1)\n-+\n-+\t if (grub_add (linksize, 1, &sz))\n-+\t return grub_error (GRUB_ERR_BAD_FS, N_(\"link size overflow\"));\n-+\n-+\t if (data->linkname_alloc < sz)\n- \t {\n- \t char *n;\n--\t n = grub_calloc (2, linksize + 1);\n-+\t n = grub_calloc (2, sz);\n- \t if (!n)\n- \t\treturn grub_errno;\n- \t grub_free (data->linkname);\n- \t data->linkname = n;\n--\t data->linkname_alloc = 2 * (linksize + 1);\n-+\t data->linkname_alloc = 2 * (sz);\n- \t }\n- \n- \t err = grub_disk_read (data->disk, 0,\n-@@ -149,7 +159,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- \t while (extra_size < sizeof (hd.prefix)\n- \t\t && hd.prefix[extra_size])\n- \t extra_size++;\n--\t *name = grub_malloc (sizeof (hd.name) + extra_size + 2);\n-+\n-+\t if (grub_add (sizeof (hd.name) + 2, extra_size, &sz))\n-+\t return grub_error (GRUB_ERR_BAD_FS, N_(\"long name size overflow\"));\n-+\t *name = grub_malloc (sz);\n- \t if (*name == NULL)\n- \t return grub_errno;\n- \t if (hd.prefix[0])\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0007-fs-f2fs-Set-a-grub_errno-if-mount-fails.patch b/boot/grub2/0007-fs-f2fs-Set-a-grub_errno-if-mount-fails.patch\ndeleted file mode 100644\nindex 320240b266..0000000000\n--- a/boot/grub2/0007-fs-f2fs-Set-a-grub_errno-if-mount-fails.patch\n+++ /dev/null\n@@ -1,36 +0,0 @@\n-From 95f391673c0a08c2410454536614ef543cac6629 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 06:15:03 +0100\n-Subject: [PATCH] fs/f2fs: Set a grub_errno if mount fails\n-\n-It was previously possible for grub_errno to not be set when\n-grub_f2fs_mount() failed if nat_bitmap_ptr() returned NULL.\n-\n-This issue is solved by ensuring a grub_errno is set in the fail case.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 563436258cde64da6b974880abff1bf0959f4da3\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/f2fs.c | 3 +++\n- 1 file changed, 3 insertions(+)\n-\n-diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c\n-index 855e24618..db8a65f8d 100644\n---- a/grub-core/fs/f2fs.c\n-+++ b/grub-core/fs/f2fs.c\n-@@ -872,6 +872,9 @@ grub_f2fs_mount (grub_disk_t disk)\n- return data;\n- \n- fail:\n-+ if (grub_errno == GRUB_ERR_NONE)\n-+ grub_error (GRUB_ERR_BAD_FS, \"not a F2FS filesystem\");\n-+\n- grub_free (data);\n- \n- return NULL;\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0008-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch b/boot/grub2/0008-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch\ndeleted file mode 100644\nindex 3493ab8af3..0000000000\n--- a/boot/grub2/0008-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch\n+++ /dev/null\n@@ -1,40 +0,0 @@\n-From 947e9e98d35edd7b359498b5f31338dc228f5081 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 06:22:51 +0100\n-Subject: [PATCH] fs/hfsplus: Set a grub_errno if mount fails\n-\n-It was possible for mount to fail but not set grub_errno. This led to\n-a possible double decrement of the module reference count if the NULL\n-page was mapped.\n-\n-Fixing in general as a similar bug was fixed in commit 61b13c187\n-(fs/hfsplus: Set grub_errno to prevent NULL pointer access) and there\n-are likely more variants around.\n-\n-Fixes: CVE-2024-45783\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: f7c070a2e28dfab7137db0739fb8db1dc02d8898\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/hfsplus.c | 2 +-\n- 1 file changed, 1 insertion(+), 1 deletion(-)\n-\n-diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c\n-index 295822f69..de71fd486 100644\n---- a/grub-core/fs/hfsplus.c\n-+++ b/grub-core/fs/hfsplus.c\n-@@ -405,7 +405,7 @@ grub_hfsplus_mount (grub_disk_t disk)\n- \n- fail:\n- \n-- if (grub_errno == GRUB_ERR_OUT_OF_RANGE)\n-+ if (grub_errno == GRUB_ERR_OUT_OF_RANGE || grub_errno == GRUB_ERR_NONE)\n- grub_error (GRUB_ERR_BAD_FS, \"not a HFS+ filesystem\");\n- \n- grub_free (data);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0009-fs-iso9660-Set-a-grub_errno-if-mount-fails.patch b/boot/grub2/0009-fs-iso9660-Set-a-grub_errno-if-mount-fails.patch\ndeleted file mode 100644\nindex d9c38b62ba..0000000000\n--- a/boot/grub2/0009-fs-iso9660-Set-a-grub_errno-if-mount-fails.patch\n+++ /dev/null\n@@ -1,38 +0,0 @@\n-From a0e37c98e6f330110e4009f8e5ba73ca0c2eaff5 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 06:37:08 +0100\n-Subject: [PATCH] fs/iso9660: Set a grub_errno if mount fails\n-\n-It was possible for a grub_errno to not be set if mount of an ISO 9660\n-filesystem failed when set_rockridge() returned 0.\n-\n-This isn't known to be exploitable as the other filesystems due to\n-filesystem helper checking the requested file type. Though fixing\n-as a precaution.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 965db5970811d18069b34f28f5f31ddadde90a97\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/iso9660.c | 3 +++\n- 1 file changed, 3 insertions(+)\n-\n-diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c\n-index 8c348b59a..8d480e602 100644\n---- a/grub-core/fs/iso9660.c\n-+++ b/grub-core/fs/iso9660.c\n-@@ -551,6 +551,9 @@ grub_iso9660_mount (grub_disk_t disk)\n- return data;\n- \n- fail:\n-+ if (grub_errno == GRUB_ERR_NONE)\n-+ grub_error (GRUB_ERR_BAD_FS, \"not a ISO9660 filesystem\");\n-+\n- grub_free (data);\n- return 0;\n- }\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0010-fs-iso9660-Fix-invalid-free.patch b/boot/grub2/0010-fs-iso9660-Fix-invalid-free.patch\ndeleted file mode 100644\nindex 6bd1665234..0000000000\n--- a/boot/grub2/0010-fs-iso9660-Fix-invalid-free.patch\n+++ /dev/null\n@@ -1,55 +0,0 @@\n-From 3acd964eafdd32e8ab7d7c04b18171052a859d3a Mon Sep 17 00:00:00 2001\n-From: Michael Chang <mchang@suse.com>\n-Date: Fri, 31 May 2024 15:14:42 +0800\n-Subject: [PATCH] fs/iso9660: Fix invalid free\n-\n-The ctx->filename can point to either a string literal or a dynamically\n-allocated string. The ctx->filename_alloc field is used to indicate the\n-type of allocation.\n-\n-An issue has been identified where ctx->filename is reassigned to\n-a string literal in susp_iterate_dir() but ctx->filename_alloc is not\n-correctly handled. This oversight causes a memory leak and an invalid\n-free operation later.\n-\n-The fix involves checking ctx->filename_alloc, freeing the allocated\n-string if necessary and clearing ctx->filename_alloc for string literals.\n-\n-Reported-by: Daniel Axtens <dja@axtens.net>\n-Signed-off-by: Michael Chang <mchang@suse.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 1443833a9535a5873f7de3798cf4d8389f366611\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/iso9660.c | 14 ++++++++++++--\n- 1 file changed, 12 insertions(+), 2 deletions(-)\n-\n-diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c\n-index 8d480e602..8e3c95c4f 100644\n---- a/grub-core/fs/iso9660.c\n-+++ b/grub-core/fs/iso9660.c\n-@@ -628,9 +628,19 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,\n- \t filename type is stored. */\n- /* FIXME: Fix this slightly improper cast. */\n- if (entry->data[0] & GRUB_ISO9660_RR_DOT)\n--\tctx->filename = (char *) \".\";\n-+\t{\n-+\t if (ctx->filename_alloc)\n-+\t grub_free (ctx->filename);\n-+\t ctx->filename_alloc = 0;\n-+\t ctx->filename = (char *) \".\";\n-+\t}\n- else if (entry->data[0] & GRUB_ISO9660_RR_DOTDOT)\n--\tctx->filename = (char *) \"..\";\n-+\t{\n-+\t if (ctx->filename_alloc)\n-+\t grub_free (ctx->filename);\n-+\t ctx->filename_alloc = 0;\n-+\t ctx->filename = (char *) \"..\";\n-+\t}\n- else if (entry->len >= 5)\n- \t{\n- \t grub_size_t off = 0, csize = 1;\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0011-fs-jfs-Fix-OOB-read-in-jfs_getent.patch b/boot/grub2/0011-fs-jfs-Fix-OOB-read-in-jfs_getent.patch\ndeleted file mode 100644\nindex 96e34b0e9f..0000000000\n--- a/boot/grub2/0011-fs-jfs-Fix-OOB-read-in-jfs_getent.patch\n+++ /dev/null\n@@ -1,68 +0,0 @@\n-From b01accc4d132a252f02bf57c31f5fff8ce98a339 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Fri, 22 Nov 2024 06:27:59 +0000\n-Subject: [PATCH] fs/jfs: Fix OOB read in jfs_getent()\n-\n-The JFS fuzzing revealed an OOB read in grub_jfs_getent(). The crash\n-was caused by an invalid leaf nodes count, diro->dirpage->header.count,\n-which was larger than the maximum number of leaf nodes allowed in an\n-inode. This fix is to ensure that the leaf nodes count is validated in\n-grub_jfs_opendir() before calling grub_jfs_getent().\n-\n-On the occasion replace existing raw numbers with newly defined constant.\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>\n-Upstream: 66175696f3a385b14bdf1ebcda7755834bd2d5fb\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/jfs.c | 17 +++++++++++++++--\n- 1 file changed, 15 insertions(+), 2 deletions(-)\n-\n-diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c\n-index 6f7c43904..32dec7fb7 100644\n---- a/grub-core/fs/jfs.c\n-+++ b/grub-core/fs/jfs.c\n-@@ -41,6 +41,12 @@ GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n- #define GRUB_JFS_TREE_LEAF\t2\n- \n-+/*\n-+ * Define max entries stored in-line in an inode.\n-+ * https://jfs.sourceforge.net/project/pub/jfslayout.pdf\n-+ */\n-+#define GRUB_JFS_INODE_INLINE_ENTRIES\t8\n-+\n- struct grub_jfs_sblock\n- {\n- /* The magic for JFS. It should contain the string \"JFS1\". */\n-@@ -203,9 +209,9 @@ struct grub_jfs_inode\n- \tgrub_uint8_t freecnt;\n- \tgrub_uint8_t freelist;\n- \tgrub_uint32_t idotdot;\n--\tgrub_uint8_t sorted[8];\n-+\tgrub_uint8_t sorted[GRUB_JFS_INODE_INLINE_ENTRIES];\n- } header;\n-- struct grub_jfs_leaf_dirent dirents[8];\n-+ struct grub_jfs_leaf_dirent dirents[GRUB_JFS_INODE_INLINE_ENTRIES];\n- } GRUB_PACKED dir;\n- /* Fast symlink. */\n- struct\n-@@ -453,6 +459,13 @@ grub_jfs_opendir (struct grub_jfs_data *data, struct grub_jfs_inode *inode)\n- /* Check if the entire tree is contained within the inode. */\n- if (inode->file.tree.flags & GRUB_JFS_TREE_LEAF)\n- {\n-+ if (inode->dir.header.count > GRUB_JFS_INODE_INLINE_ENTRIES)\n-+\t{\n-+\t grub_free (diro);\n-+\t grub_error (GRUB_ERR_BAD_FS, N_(\"invalid JFS inode\"));\n-+\t return 0;\n-+\t}\n-+\n- diro->leaf = inode->dir.dirents;\n- diro->next_leaf = (struct grub_jfs_leaf_next_dirent *) de;\n- diro->sorted = inode->dir.header.sorted;\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0012-fs-jfs-Fix-OOB-read-caused-by-invalid-dir-slot-index.patch b/boot/grub2/0012-fs-jfs-Fix-OOB-read-caused-by-invalid-dir-slot-index.patch\ndeleted file mode 100644\nindex 6257a4b887..0000000000\n--- a/boot/grub2/0012-fs-jfs-Fix-OOB-read-caused-by-invalid-dir-slot-index.patch\n+++ /dev/null\n@@ -1,69 +0,0 @@\n-From b35b73b9d779e88fb4e6f53fb10a5bfebf3475aa Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Fri, 22 Nov 2024 06:28:00 +0000\n-Subject: [PATCH] fs/jfs: Fix OOB read caused by invalid dir slot index\n-\n-While fuzz testing JFS with ASAN enabled an OOB read was detected in\n-grub_jfs_opendir(). The issue occurred due to an invalid directory slot\n-index in the first entry of the sorted directory slot array in the inode\n-directory header. The fix ensures the slot index is validated before\n-accessing it. Given that an internal or a leaf node in a directory B+\n-tree is a 4 KiB in size and each directory slot is always 32 bytes, the\n-max number of slots in a node is 128. The validation ensures that the\n-slot index doesn't exceed this limit.\n-\n-[1] https://jfs.sourceforge.net/project/pub/jfslayout.pdf\n-\n- JFS will allocate 4K of disk space for an internal node of the B+ tree.\n- An internal node looks the same as a leaf node.\n- - page 10\n-\n- Fixed number of Directory Slots depending on the size of the node. These are\n- the slots to be used for storing the directory slot array and the directory\n- entries or router entries. A directory slot is always 32 bytes.\n- ...\n- A Directory Slot Array which is a sorted array of indices to the directory\n- slots that are currently in use.\n- ...\n- An internal or a leaf node in the directory B+ tree is a 4K page.\n- - page 25\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>\n-Upstream: ab09fd0531f3523ac0ef833404526c98c08248f7\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/jfs.c | 9 +++++++++\n- 1 file changed, 9 insertions(+)\n-\n-diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c\n-index 32dec7fb7..88fb884df 100644\n---- a/grub-core/fs/jfs.c\n-+++ b/grub-core/fs/jfs.c\n-@@ -46,6 +46,7 @@ GRUB_MOD_LICENSE (\"GPLv3+\");\n- * https://jfs.sourceforge.net/project/pub/jfslayout.pdf\n- */\n- #define GRUB_JFS_INODE_INLINE_ENTRIES\t8\n-+#define GRUB_JFS_DIR_MAX_SLOTS\t\t128\n- \n- struct grub_jfs_sblock\n- {\n-@@ -481,6 +482,14 @@ grub_jfs_opendir (struct grub_jfs_data *data, struct grub_jfs_inode *inode)\n- return 0;\n- }\n- \n-+ if (inode->dir.header.sorted[0] >= GRUB_JFS_DIR_MAX_SLOTS)\n-+ {\n-+ grub_error (GRUB_ERR_BAD_FS, N_(\"invalid directory slot index\"));\n-+ grub_free (diro->dirpage);\n-+ grub_free (diro);\n-+ return 0;\n-+ }\n-+\n- blk = grub_le_to_cpu32 (de[inode->dir.header.sorted[0]].ex.blk2);\n- blk <<= (grub_le_to_cpu16 (data->sblock.log2_blksz) - GRUB_DISK_SECTOR_BITS);\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0013-fs-jfs-Use-full-40-bits-offset-and-address-for-a-dat.patch b/boot/grub2/0013-fs-jfs-Use-full-40-bits-offset-and-address-for-a-dat.patch\ndeleted file mode 100644\nindex cd5d69cf74..0000000000\n--- a/boot/grub2/0013-fs-jfs-Use-full-40-bits-offset-and-address-for-a-dat.patch\n+++ /dev/null\n@@ -1,133 +0,0 @@\n-From 978c4c79935a375cb16d94e8114d96fee013c288 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Mon, 16 Dec 2024 20:22:39 +0000\n-Subject: [PATCH] fs/jfs: Use full 40 bits offset and address for a data extent\n-\n-An extent's logical offset and address are represented as a 40-bit value\n-split into two parts: the most significant 8 bits and the least\n-significant 32 bits. Currently the JFS code uses only the least\n-significant 32 bits value for offsets and addresses assuming the data\n-size will never exceed the 32-bit range. This approach ignores the most\n-significant 8 bits potentially leading to incorrect offsets and\n-addresses for larger values. The patch fixes it by incorporating the\n-most significant 8 bits into the calculation to get the full 40-bits\n-value for offsets and addresses.\n-\n-https://jfs.sourceforge.net/project/pub/jfslayout.pdf\n-\n- \"off1,off2 is a 40-bit field, containing the logical offset of the first\n- block in the extent.\n- ...\n- addr1,addr2 is a 40-bit field, containing the address of the extent.\"\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Ross Philipson <ross.philipson@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: bd999310fe67f35a66de3bfa2836da91589d04ef\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/jfs.c | 41 +++++++++++++++++++++++++++++------------\n- 1 file changed, 29 insertions(+), 12 deletions(-)\n-\n-diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c\n-index 88fb884df..2bde48d45 100644\n---- a/grub-core/fs/jfs.c\n-+++ b/grub-core/fs/jfs.c\n-@@ -265,6 +265,20 @@ static grub_dl_t my_mod;\n- \f\n- static grub_err_t grub_jfs_lookup_symlink (struct grub_jfs_data *data, grub_uint32_t ino);\n- \n-+/*\n-+ * An extent's offset, physical and logical, is represented as a 40-bit value.\n-+ * This 40-bit value is split into two parts:\n-+ * - offset1: the most signficant 8 bits of the offset,\n-+ * - offset2: the least significant 32 bits of the offset.\n-+ *\n-+ * This function calculates and returns the 64-bit offset of an extent.\n-+ */\n-+static grub_uint64_t\n-+get_ext_offset (grub_uint8_t offset1, grub_uint32_t offset2)\n-+{\n-+ return (((grub_uint64_t) offset1 << 32) | grub_le_to_cpu32 (offset2));\n-+}\n-+\n- static grub_int64_t\n- getblk (struct grub_jfs_treehead *treehead,\n- \tstruct grub_jfs_tree_extent *extents,\n-@@ -274,22 +288,25 @@ getblk (struct grub_jfs_treehead *treehead,\n- {\n- int found = -1;\n- int i;\n-+ grub_uint64_t ext_offset, ext_blk;\n- \n- for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2 &&\n- \t i < max_extents; i++)\n- {\n-+ ext_offset = get_ext_offset (extents[i].offset1, extents[i].offset2);\n-+ ext_blk = get_ext_offset (extents[i].extent.blk1, extents[i].extent.blk2);\n-+\n- if (treehead->flags & GRUB_JFS_TREE_LEAF)\n- \t{\n- \t /* Read the leafnode. */\n--\t if (grub_le_to_cpu32 (extents[i].offset2) <= blk\n-+\t if (ext_offset <= blk\n- \t && ((grub_le_to_cpu16 (extents[i].extent.length))\n- \t\t + (extents[i].extent.length2 << 16)\n--\t\t + grub_le_to_cpu32 (extents[i].offset2)) > blk)\n--\t return (blk - grub_le_to_cpu32 (extents[i].offset2)\n--\t\t + grub_le_to_cpu32 (extents[i].extent.blk2));\n-+\t\t + ext_offset) > blk)\n-+\t return (blk - ext_offset + ext_blk);\n- \t}\n- else\n--\tif (blk >= grub_le_to_cpu32 (extents[i].offset2))\n-+\tif (blk >= ext_offset)\n- \t found = i;\n- }\n- \n-@@ -307,10 +324,9 @@ getblk (struct grub_jfs_treehead *treehead,\n- \treturn -1;\n- \n- if (!grub_disk_read (data->disk,\n--\t\t\t ((grub_disk_addr_t) grub_le_to_cpu32 (extents[found].extent.blk2))\n--\t\t\t << (grub_le_to_cpu16 (data->sblock.log2_blksz)\n--\t\t\t - GRUB_DISK_SECTOR_BITS), 0,\n--\t\t\t sizeof (*tree), (char *) tree))\n-+\t\t\t (grub_disk_addr_t) ext_blk\n-+\t\t\t << (grub_le_to_cpu16 (data->sblock.log2_blksz) - GRUB_DISK_SECTOR_BITS),\n-+\t\t\t 0, sizeof (*tree), (char *) tree))\n- \t{\n- \t if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) ||\n- \t grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent)))\n-@@ -361,7 +377,7 @@ grub_jfs_read_inode (struct grub_jfs_data *data, grub_uint32_t ino,\n- \t\t sizeof (iag_inodes), &iag_inodes))\n- return grub_errno;\n- \n-- inoblk = grub_le_to_cpu32 (iag_inodes[inoext].blk2);\n-+ inoblk = get_ext_offset (iag_inodes[inoext].blk1, iag_inodes[inoext].blk2);\n- inoblk <<= (grub_le_to_cpu16 (data->sblock.log2_blksz)\n- \t - GRUB_DISK_SECTOR_BITS);\n- inoblk += inonum;\n-@@ -490,7 +506,8 @@ grub_jfs_opendir (struct grub_jfs_data *data, struct grub_jfs_inode *inode)\n- return 0;\n- }\n- \n-- blk = grub_le_to_cpu32 (de[inode->dir.header.sorted[0]].ex.blk2);\n-+ blk = get_ext_offset (de[inode->dir.header.sorted[0]].ex.blk1,\n-+\t\t de[inode->dir.header.sorted[0]].ex.blk2);\n- blk <<= (grub_le_to_cpu16 (data->sblock.log2_blksz) - GRUB_DISK_SECTOR_BITS);\n- \n- /* Read in the nodes until we are on the leaf node level. */\n-@@ -508,7 +525,7 @@ grub_jfs_opendir (struct grub_jfs_data *data, struct grub_jfs_inode *inode)\n- \n- de = (struct grub_jfs_internal_dirent *) diro->dirpage->dirent;\n- index = diro->dirpage->sorted[diro->dirpage->header.sindex * 32];\n-- blk = (grub_le_to_cpu32 (de[index].ex.blk2)\n-+ blk = (get_ext_offset (de[index].ex.blk1, de[index].ex.blk2)\n- \t << (grub_le_to_cpu16 (data->sblock.log2_blksz)\n- \t\t - GRUB_DISK_SECTOR_BITS));\n- } while (!(diro->dirpage->header.flags & GRUB_JFS_TREE_LEAF));\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0014-fs-jfs-Inconsistent-signed-unsigned-types-usage-in-r.patch b/boot/grub2/0014-fs-jfs-Inconsistent-signed-unsigned-types-usage-in-r.patch\ndeleted file mode 100644\nindex f08e797b37..0000000000\n--- a/boot/grub2/0014-fs-jfs-Inconsistent-signed-unsigned-types-usage-in-r.patch\n+++ /dev/null\n@@ -1,90 +0,0 @@\n-From 32f319d100c3b8f9b04e6a175f599c7411a54555 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Mon, 16 Dec 2024 20:22:40 +0000\n-Subject: [PATCH] fs/jfs: Inconsistent signed/unsigned types usage in return\n- values\n-\n-The getblk() returns a value of type grub_int64_t which is assigned to\n-iagblk and inoblk, both of type grub_uint64_t, in grub_jfs_read_inode()\n-via grub_jfs_blkno(). This patch fixes the type mismatch in the\n-functions. Additionally, the getblk() will return 0 instead of -1 on\n-failure cases. This change is safe because grub_errno is always set in\n-getblk() to indicate errors and it is later checked in the callers.\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Ross Philipson <ross.philipson@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: edd995a26ec98654d907a9436a296c2d82bc4b28\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/jfs.c | 15 +++++++++------\n- 1 file changed, 9 insertions(+), 6 deletions(-)\n-\n-diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c\n-index 2bde48d45..70a2f4947 100644\n---- a/grub-core/fs/jfs.c\n-+++ b/grub-core/fs/jfs.c\n-@@ -279,7 +279,7 @@ get_ext_offset (grub_uint8_t offset1, grub_uint32_t offset2)\n- return (((grub_uint64_t) offset1 << 32) | grub_le_to_cpu32 (offset2));\n- }\n- \n--static grub_int64_t\n-+static grub_uint64_t\n- getblk (struct grub_jfs_treehead *treehead,\n- \tstruct grub_jfs_tree_extent *extents,\n- \tint max_extents,\n-@@ -290,6 +290,8 @@ getblk (struct grub_jfs_treehead *treehead,\n- int i;\n- grub_uint64_t ext_offset, ext_blk;\n- \n-+ grub_errno = GRUB_ERR_NONE;\n-+\n- for (i = 0; i < grub_le_to_cpu16 (treehead->count) - 2 &&\n- \t i < max_extents; i++)\n- {\n-@@ -312,7 +314,7 @@ getblk (struct grub_jfs_treehead *treehead,\n- \n- if (found != -1)\n- {\n-- grub_int64_t ret = -1;\n-+ grub_uint64_t ret = 0;\n- struct\n- {\n- \tstruct grub_jfs_treehead treehead;\n-@@ -321,7 +323,7 @@ getblk (struct grub_jfs_treehead *treehead,\n- \n- tree = grub_zalloc (sizeof (*tree));\n- if (!tree)\n--\treturn -1;\n-+\treturn 0;\n- \n- if (!grub_disk_read (data->disk,\n- \t\t\t (grub_disk_addr_t) ext_blk\n-@@ -334,19 +336,20 @@ getblk (struct grub_jfs_treehead *treehead,\n- \t else\n- \t {\n- \t grub_error (GRUB_ERR_BAD_FS, \"jfs: infinite recursion detected\");\n--\t ret = -1;\n-+\t ret = 0;\n- \t }\n- \t}\n- grub_free (tree);\n- return ret;\n- }\n- \n-- return -1;\n-+ grub_error (GRUB_ERR_READ_ERROR, \"jfs: block %\" PRIuGRUB_UINT64_T \" not found\", blk);\n-+ return 0;\n- }\n- \n- /* Get the block number for the block BLK in the node INODE in the\n- mounted filesystem DATA. */\n--static grub_int64_t\n-+static grub_uint64_t\n- grub_jfs_blkno (struct grub_jfs_data *data, struct grub_jfs_inode *inode,\n- \t\tgrub_uint64_t blk)\n- {\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0015-fs-ext2-Fix-out-of-bounds-read-for-inline-extents.patch b/boot/grub2/0015-fs-ext2-Fix-out-of-bounds-read-for-inline-extents.patch\ndeleted file mode 100644\nindex c04fb8eae0..0000000000\n--- a/boot/grub2/0015-fs-ext2-Fix-out-of-bounds-read-for-inline-extents.patch\n+++ /dev/null\n@@ -1,51 +0,0 @@\n-From 7da8e2e23db5f1ddb9c4dc992c69349149163c4c Mon Sep 17 00:00:00 2001\n-From: Michael Chang <mchang@suse.com>\n-Date: Fri, 31 May 2024 15:14:23 +0800\n-Subject: [PATCH] fs/ext2: Fix out-of-bounds read for inline extents\n-\n-When inline extents are used, i.e. the extent tree depth equals zero,\n-a maximum of four entries can fit into the inode's data block. If the\n-extent header states a number of entries greater than four the current\n-ext2 implementation causes an out-of-bounds read. Fix this issue by\n-capping the number of extents to four when reading inline extents.\n-\n-Reported-by: Daniel Axtens <dja@axtens.net>\n-Signed-off-by: Michael Chang <mchang@suse.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 7e2f750f0a795c4d64ec7dc7591edac8da2e978c\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/ext2.c | 10 +++++++++-\n- 1 file changed, 9 insertions(+), 1 deletion(-)\n-\n-diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c\n-index e1cc5e62a..3f9f6b208 100644\n---- a/grub-core/fs/ext2.c\n-+++ b/grub-core/fs/ext2.c\n-@@ -495,6 +495,8 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)\n- struct grub_ext4_extent *ext;\n- int i;\n- grub_disk_addr_t ret;\n-+ grub_uint16_t nent;\n-+ const grub_uint16_t max_inline_ext = sizeof (inode->blocks) / sizeof (*ext) - 1; /* Minus 1 extent header. */\n- \n- if (grub_ext4_find_leaf (data, (struct grub_ext4_extent_header *) inode->blocks.dir_blocks,\n- \t\t\t fileblock, &leaf) != GRUB_ERR_NONE)\n-@@ -508,7 +510,13 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)\n- return 0;\n- \n- ext = (struct grub_ext4_extent *) (leaf + 1);\n-- for (i = 0; i < grub_le_to_cpu16 (leaf->entries); i++)\n-+\n-+ nent = grub_le_to_cpu16 (leaf->entries);\n-+\n-+ if (leaf->depth == 0)\n-+\tnent = grub_min (nent, max_inline_ext);\n-+\n-+ for (i = 0; i < nent; i++)\n- {\n- if (fileblock < grub_le_to_cpu32 (ext[i].block))\n- break;\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0016-fs-xfs-Fix-out-of-bounds-read.patch b/boot/grub2/0016-fs-xfs-Fix-out-of-bounds-read.patch\ndeleted file mode 100644\nindex c42627b7cd..0000000000\n--- a/boot/grub2/0016-fs-xfs-Fix-out-of-bounds-read.patch\n+++ /dev/null\n@@ -1,48 +0,0 @@\n-From 854503d76e7dbc25f999d6be3e2ef4e8067f4152 Mon Sep 17 00:00:00 2001\n-From: Michael Chang <mchang@suse.com>\n-Date: Fri, 31 May 2024 15:14:57 +0800\n-Subject: [PATCH] fs/xfs: Fix out-of-bounds read\n-\n-The number of records in the root key array read from disk was not being\n-validated against the size of the root node. This could lead to an\n-out-of-bounds read.\n-\n-This patch adds a check to ensure that the number of records in the root\n-key array does not exceed the expected size of a root node read from\n-disk. If this check detects an out-of-bounds condition the operation is\n-aborted to prevent random errors due to metadata corruption.\n-\n-Reported-by: Daniel Axtens <dja@axtens.net>\n-Signed-off-by: Michael Chang <mchang@suse.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 6ccc77b59d16578b10eaf8a4fe85c20b229f0d8a\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/xfs.c | 11 +++++++++++\n- 1 file changed, 11 insertions(+)\n-\n-diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c\n-index bc2224dbb..d2d533531 100644\n---- a/grub-core/fs/xfs.c\n-+++ b/grub-core/fs/xfs.c\n-@@ -595,6 +595,17 @@ grub_xfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)\n- do\n- {\n- grub_uint64_t i;\n-+\t grub_addr_t keys_end, data_end;\n-+\n-+\t if (grub_mul (sizeof (grub_uint64_t), nrec, &keys_end) ||\n-+\t grub_add ((grub_addr_t) keys, keys_end, &keys_end) ||\n-+\t grub_add ((grub_addr_t) node->data, node->data->data_size, &data_end) ||\n-+\t keys_end > data_end)\n-+\t {\n-+\t grub_error (GRUB_ERR_BAD_FS, \"invalid number of XFS root keys\");\n-+\t grub_free (leaf);\n-+\t return 0;\n-+\t }\n- \n- for (i = 0; i < nrec; i++)\n- {\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0017-fs-xfs-Ensuring-failing-to-mount-sets-a-grub_errno.patch b/boot/grub2/0017-fs-xfs-Ensuring-failing-to-mount-sets-a-grub_errno.patch\ndeleted file mode 100644\nindex 98d1be1544..0000000000\n--- a/boot/grub2/0017-fs-xfs-Ensuring-failing-to-mount-sets-a-grub_errno.patch\n+++ /dev/null\n@@ -1,47 +0,0 @@\n-From 9a5c23756f2e2d4ee8438bf449881c8f854e59ab Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 06:03:58 +0100\n-Subject: [PATCH] fs/xfs: Ensuring failing to mount sets a grub_errno\n-\n-It was previously possible for grub_xfs_mount() to return NULL without\n-setting grub_errno if the XFS version was invalid. This resulted in it\n-being possible for grub_dl_unref() to be called twice allowing the XFS\n-module to be unloaded while there were still references to it.\n-\n-Fixing this problem in general by ensuring a grub_errno is set if the\n-fail label is reached.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: d1d6b7ea58aa5a80a4c4d0666b49460056c8ef0a\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/xfs.c | 4 +++-\n- 1 file changed, 3 insertions(+), 1 deletion(-)\n-\n-diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c\n-index d2d533531..56738a135 100644\n---- a/grub-core/fs/xfs.c\n-+++ b/grub-core/fs/xfs.c\n-@@ -327,6 +327,8 @@ static int grub_xfs_sb_valid(struct grub_xfs_data *data)\n- \t}\n- return 1;\n- }\n-+\n-+ grub_error (GRUB_ERR_BAD_FS, \"unsupported XFS filesystem version\");\n- return 0;\n- }\n- \n-@@ -1058,7 +1060,7 @@ grub_xfs_mount (grub_disk_t disk)\n- return data;\n- fail:\n- \n-- if (grub_errno == GRUB_ERR_OUT_OF_RANGE)\n-+ if (grub_errno == GRUB_ERR_OUT_OF_RANGE || grub_errno == GRUB_ERR_NONE)\n- grub_error (GRUB_ERR_BAD_FS, \"not an XFS filesystem\");\n- \n- grub_free (data);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0018-kern-file-Ensure-file-data-is-set.patch b/boot/grub2/0018-kern-file-Ensure-file-data-is-set.patch\ndeleted file mode 100644\nindex 1b84ef304b..0000000000\n--- a/boot/grub2/0018-kern-file-Ensure-file-data-is-set.patch\n+++ /dev/null\n@@ -1,37 +0,0 @@\n-From 816fb20ed0a80032e2eaf4c4ccaf989bf20908be Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 03:01:40 +0100\n-Subject: [PATCH] kern/file: Ensure file->data is set\n-\n-This is to avoid a generic issue were some filesystems would not set\n-data and also not set a grub_errno. This meant it was possible for many\n-filesystems to grub_dl_unref() themselves multiple times resulting in\n-it being possible to unload the filesystems while there were still\n-references to them, e.g., via a loopback.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: a7910687294b29288ac649e71b47493c93294f17\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/kern/file.c | 3 +++\n- 1 file changed, 3 insertions(+)\n-\n-diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c\n-index 750177248..e990507fc 100644\n---- a/grub-core/kern/file.c\n-+++ b/grub-core/kern/file.c\n-@@ -114,6 +114,9 @@ grub_file_open (const char *name, enum grub_file_type type)\n- if ((file->fs->fs_open) (file, file_name) != GRUB_ERR_NONE)\n- goto fail;\n- \n-+ if (file->data == NULL)\n-+ goto fail;\n-+\n- file->name = grub_strdup (name);\n- grub_errno = GRUB_ERR_NONE;\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0019-kern-file-Implement-filesystem-reference-counting.patch b/boot/grub2/0019-kern-file-Implement-filesystem-reference-counting.patch\ndeleted file mode 100644\nindex 71c53efd44..0000000000\n--- a/boot/grub2/0019-kern-file-Implement-filesystem-reference-counting.patch\n+++ /dev/null\n@@ -1,449 +0,0 @@\n-From a27c4b6da2f4a014e5d096e75790e860bcdb2472 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 10:15:03 +0100\n-Subject: [PATCH] kern/file: Implement filesystem reference counting\n-\n-The grub_file_open() and grub_file_close() should be the only places\n-that allow a reference to a filesystem to stay open. So, add grub_dl_t\n-to grub_fs_t and set this in the GRUB_MOD_INIT() for each filesystem to\n-avoid issues when filesystems forget to do it themselves or do not track\n-their own references, e.g. squash4.\n-\n-The fs_label(), fs_uuid(), fs_mtime() and fs_read() should all ref and\n-unref in the same function but it is essentially redundant in GRUB\n-single threaded model.\n-\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-\n-Conflicts:\n-\tgrub-core/fs/erofs.c\n-\n-Upstream: 16f196874fbe360a1b3c66064ec15adadf94c57b\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/affs.c | 1 +\n- grub-core/fs/bfs.c | 1 +\n- grub-core/fs/btrfs.c | 1 +\n- grub-core/fs/cbfs.c | 1 +\n- grub-core/fs/cpio.c | 1 +\n- grub-core/fs/cpio_be.c | 1 +\n- grub-core/fs/ext2.c | 1 +\n- grub-core/fs/f2fs.c | 1 +\n- grub-core/fs/fat.c | 1 +\n- grub-core/fs/hfs.c | 1 +\n- grub-core/fs/hfsplus.c | 1 +\n- grub-core/fs/iso9660.c | 1 +\n- grub-core/fs/jfs.c | 1 +\n- grub-core/fs/minix.c | 1 +\n- grub-core/fs/newc.c | 1 +\n- grub-core/fs/nilfs2.c | 1 +\n- grub-core/fs/ntfs.c | 1 +\n- grub-core/fs/odc.c | 1 +\n- grub-core/fs/proc.c | 1 +\n- grub-core/fs/reiserfs.c | 1 +\n- grub-core/fs/romfs.c | 1 +\n- grub-core/fs/sfs.c | 1 +\n- grub-core/fs/squash4.c | 1 +\n- grub-core/fs/tar.c | 1 +\n- grub-core/fs/udf.c | 1 +\n- grub-core/fs/ufs.c | 1 +\n- grub-core/fs/xfs.c | 1 +\n- grub-core/fs/zfs/zfs.c | 1 +\n- grub-core/kern/file.c | 7 +++++++\n- include/grub/fs.h | 4 ++++\n- 30 files changed, 39 insertions(+)\n-\n-diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c\n-index ed606b3f1..9b0afb954 100644\n---- a/grub-core/fs/affs.c\n-+++ b/grub-core/fs/affs.c\n-@@ -703,6 +703,7 @@ static struct grub_fs grub_affs_fs =\n- \n- GRUB_MOD_INIT(affs)\n- {\n-+ grub_affs_fs.mod = mod;\n- grub_fs_register (&grub_affs_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c\n-index 07cb3e3ac..f37b16895 100644\n---- a/grub-core/fs/bfs.c\n-+++ b/grub-core/fs/bfs.c\n-@@ -1106,6 +1106,7 @@ GRUB_MOD_INIT (bfs)\n- {\n- COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==\n- \t\t sizeof (struct grub_bfs_extent));\n-+ grub_bfs_fs.mod = mod;\n- grub_fs_register (&grub_bfs_fs);\n- }\n- \n-diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c\n-index ba0c58352..aae81482b 100644\n---- a/grub-core/fs/btrfs.c\n-+++ b/grub-core/fs/btrfs.c\n-@@ -2413,6 +2413,7 @@ static struct grub_fs grub_btrfs_fs = {\n- \n- GRUB_MOD_INIT (btrfs)\n- {\n-+ grub_btrfs_fs.mod = mod;\n- grub_fs_register (&grub_btrfs_fs);\n- }\n- \n-diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c\n-index 8ab7106af..2332745fe 100644\n---- a/grub-core/fs/cbfs.c\n-+++ b/grub-core/fs/cbfs.c\n-@@ -390,6 +390,7 @@ GRUB_MOD_INIT (cbfs)\n- #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)\n- init_cbfsdisk ();\n- #endif\n-+ grub_cbfs_fs.mod = mod;\n- grub_fs_register (&grub_cbfs_fs);\n- }\n- \n-diff --git a/grub-core/fs/cpio.c b/grub-core/fs/cpio.c\n-index dab5f9898..1799f7ff5 100644\n---- a/grub-core/fs/cpio.c\n-+++ b/grub-core/fs/cpio.c\n-@@ -52,6 +52,7 @@ read_number (const grub_uint16_t *arr, grub_size_t size)\n- \n- GRUB_MOD_INIT (cpio)\n- {\n-+ grub_cpio_fs.mod = mod;\n- grub_fs_register (&grub_cpio_fs);\n- }\n- \n-diff --git a/grub-core/fs/cpio_be.c b/grub-core/fs/cpio_be.c\n-index 846548892..7bed1b848 100644\n---- a/grub-core/fs/cpio_be.c\n-+++ b/grub-core/fs/cpio_be.c\n-@@ -52,6 +52,7 @@ read_number (const grub_uint16_t *arr, grub_size_t size)\n- \n- GRUB_MOD_INIT (cpio_be)\n- {\n-+ grub_cpio_fs.mod = mod;\n- grub_fs_register (&grub_cpio_fs);\n- }\n- \n-diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c\n-index 3f9f6b208..c3058f7e7 100644\n---- a/grub-core/fs/ext2.c\n-+++ b/grub-core/fs/ext2.c\n-@@ -1131,6 +1131,7 @@ static struct grub_fs grub_ext2_fs =\n- \n- GRUB_MOD_INIT(ext2)\n- {\n-+ grub_ext2_fs.mod = mod;\n- grub_fs_register (&grub_ext2_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c\n-index db8a65f8d..f6d6beaa5 100644\n---- a/grub-core/fs/f2fs.c\n-+++ b/grub-core/fs/f2fs.c\n-@@ -1353,6 +1353,7 @@ static struct grub_fs grub_f2fs_fs = {\n- \n- GRUB_MOD_INIT (f2fs)\n- {\n-+ grub_f2fs_fs.mod = mod;\n- grub_fs_register (&grub_f2fs_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/fat.c b/grub-core/fs/fat.c\n-index c5efed724..6e62b915d 100644\n---- a/grub-core/fs/fat.c\n-+++ b/grub-core/fs/fat.c\n-@@ -1312,6 +1312,7 @@ GRUB_MOD_INIT(fat)\n- #endif\n- {\n- COMPILE_TIME_ASSERT (sizeof (struct grub_fat_dir_entry) == 32);\n-+ grub_fat_fs.mod = mod;\n- grub_fs_register (&grub_fat_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c\n-index 920112b03..ce7581dd5 100644\n---- a/grub-core/fs/hfs.c\n-+++ b/grub-core/fs/hfs.c\n-@@ -1434,6 +1434,7 @@ static struct grub_fs grub_hfs_fs =\n- \n- GRUB_MOD_INIT(hfs)\n- {\n-+ grub_hfs_fs.mod = mod;\n- if (!grub_is_lockdown ())\n- grub_fs_register (&grub_hfs_fs);\n- my_mod = mod;\n-diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c\n-index de71fd486..3f203abcc 100644\n---- a/grub-core/fs/hfsplus.c\n-+++ b/grub-core/fs/hfsplus.c\n-@@ -1176,6 +1176,7 @@ static struct grub_fs grub_hfsplus_fs =\n- \n- GRUB_MOD_INIT(hfsplus)\n- {\n-+ grub_hfsplus_fs.mod = mod;\n- grub_fs_register (&grub_hfsplus_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c\n-index 8e3c95c4f..c73cb9ce0 100644\n---- a/grub-core/fs/iso9660.c\n-+++ b/grub-core/fs/iso9660.c\n-@@ -1260,6 +1260,7 @@ static struct grub_fs grub_iso9660_fs =\n- \n- GRUB_MOD_INIT(iso9660)\n- {\n-+ grub_iso9660_fs.mod = mod;\n- grub_fs_register (&grub_iso9660_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c\n-index 70a2f4947..b0283ac00 100644\n---- a/grub-core/fs/jfs.c\n-+++ b/grub-core/fs/jfs.c\n-@@ -1005,6 +1005,7 @@ static struct grub_fs grub_jfs_fs =\n- \n- GRUB_MOD_INIT(jfs)\n- {\n-+ grub_jfs_fs.mod = mod;\n- grub_fs_register (&grub_jfs_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c\n-index 5354951d1..b7679c3e2 100644\n---- a/grub-core/fs/minix.c\n-+++ b/grub-core/fs/minix.c\n-@@ -734,6 +734,7 @@ GRUB_MOD_INIT(minix)\n- #endif\n- #endif\n- {\n-+ grub_minix_fs.mod = mod;\n- grub_fs_register (&grub_minix_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/newc.c b/grub-core/fs/newc.c\n-index 4fb8b2e3d..43b7f8b64 100644\n---- a/grub-core/fs/newc.c\n-+++ b/grub-core/fs/newc.c\n-@@ -64,6 +64,7 @@ read_number (const char *str, grub_size_t size)\n- \n- GRUB_MOD_INIT (newc)\n- {\n-+ grub_cpio_fs.mod = mod;\n- grub_fs_register (&grub_cpio_fs);\n- }\n- \n-diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c\n-index fc7374ead..4e1e71738 100644\n---- a/grub-core/fs/nilfs2.c\n-+++ b/grub-core/fs/nilfs2.c\n-@@ -1231,6 +1231,7 @@ GRUB_MOD_INIT (nilfs2)\n- \t\t\t\t grub_nilfs2_dat_entry));\n- COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE\n- \t\t == sizeof (struct grub_nilfs2_inode));\n-+ grub_nilfs2_fs.mod = mod;\n- grub_fs_register (&grub_nilfs2_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c\n-index de435aa14..560917dc2 100644\n---- a/grub-core/fs/ntfs.c\n-+++ b/grub-core/fs/ntfs.c\n-@@ -1320,6 +1320,7 @@ static struct grub_fs grub_ntfs_fs =\n- \n- GRUB_MOD_INIT (ntfs)\n- {\n-+ grub_ntfs_fs.mod = mod;\n- grub_fs_register (&grub_ntfs_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/odc.c b/grub-core/fs/odc.c\n-index 790000622..8e4e8aeac 100644\n---- a/grub-core/fs/odc.c\n-+++ b/grub-core/fs/odc.c\n-@@ -52,6 +52,7 @@ read_number (const char *str, grub_size_t size)\n- \n- GRUB_MOD_INIT (odc)\n- {\n-+ grub_cpio_fs.mod = mod;\n- grub_fs_register (&grub_cpio_fs);\n- }\n- \n-diff --git a/grub-core/fs/proc.c b/grub-core/fs/proc.c\n-index 5f516502d..bcde43349 100644\n---- a/grub-core/fs/proc.c\n-+++ b/grub-core/fs/proc.c\n-@@ -192,6 +192,7 @@ static struct grub_fs grub_procfs_fs =\n- \n- GRUB_MOD_INIT (procfs)\n- {\n-+ grub_procfs_fs.mod = mod;\n- grub_disk_dev_register (&grub_procfs_dev);\n- grub_fs_register (&grub_procfs_fs);\n- }\n-diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c\n-index 36b26ac98..c3850e013 100644\n---- a/grub-core/fs/reiserfs.c\n-+++ b/grub-core/fs/reiserfs.c\n-@@ -1417,6 +1417,7 @@ static struct grub_fs grub_reiserfs_fs =\n- \n- GRUB_MOD_INIT(reiserfs)\n- {\n-+ grub_reiserfs_fs.mod = mod;\n- grub_fs_register (&grub_reiserfs_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c\n-index 1f7dcfca1..56b0b2b2f 100644\n---- a/grub-core/fs/romfs.c\n-+++ b/grub-core/fs/romfs.c\n-@@ -475,6 +475,7 @@ static struct grub_fs grub_romfs_fs =\n- \n- GRUB_MOD_INIT(romfs)\n- {\n-+ grub_romfs_fs.mod = mod;\n- grub_fs_register (&grub_romfs_fs);\n- }\n- \n-diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c\n-index 983e88008..f0d7cac43 100644\n---- a/grub-core/fs/sfs.c\n-+++ b/grub-core/fs/sfs.c\n-@@ -779,6 +779,7 @@ static struct grub_fs grub_sfs_fs =\n- \n- GRUB_MOD_INIT(sfs)\n- {\n-+ grub_sfs_fs.mod = mod;\n- grub_fs_register (&grub_sfs_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c\n-index a30e6ebe1..6e9d63874 100644\n---- a/grub-core/fs/squash4.c\n-+++ b/grub-core/fs/squash4.c\n-@@ -1044,6 +1044,7 @@ static struct grub_fs grub_squash_fs =\n- \n- GRUB_MOD_INIT(squash4)\n- {\n-+ grub_squash_fs.mod = mod;\n- grub_fs_register (&grub_squash_fs);\n- }\n- \n-diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c\n-index 386c09022..fd2ec1f74 100644\n---- a/grub-core/fs/tar.c\n-+++ b/grub-core/fs/tar.c\n-@@ -354,6 +354,7 @@ static struct grub_fs grub_cpio_fs = {\n- \n- GRUB_MOD_INIT (tar)\n- {\n-+ grub_cpio_fs.mod = mod;\n- grub_fs_register (&grub_cpio_fs);\n- }\n- \n-diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c\n-index b836e6107..8765c633c 100644\n---- a/grub-core/fs/udf.c\n-+++ b/grub-core/fs/udf.c\n-@@ -1455,6 +1455,7 @@ static struct grub_fs grub_udf_fs = {\n- \n- GRUB_MOD_INIT (udf)\n- {\n-+ grub_udf_fs.mod = mod;\n- grub_fs_register (&grub_udf_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c\n-index 01235101b..e82d9356d 100644\n---- a/grub-core/fs/ufs.c\n-+++ b/grub-core/fs/ufs.c\n-@@ -899,6 +899,7 @@ GRUB_MOD_INIT(ufs1)\n- #endif\n- #endif\n- {\n-+ grub_ufs_fs.mod = mod;\n- grub_fs_register (&grub_ufs_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c\n-index 56738a135..74feeb86a 100644\n---- a/grub-core/fs/xfs.c\n-+++ b/grub-core/fs/xfs.c\n-@@ -1294,6 +1294,7 @@ static struct grub_fs grub_xfs_fs =\n- \n- GRUB_MOD_INIT(xfs)\n- {\n-+ grub_xfs_fs.mod = mod;\n- grub_fs_register (&grub_xfs_fs);\n- my_mod = mod;\n- }\n-diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c\n-index b5453e006..a497b1869 100644\n---- a/grub-core/fs/zfs/zfs.c\n-+++ b/grub-core/fs/zfs/zfs.c\n-@@ -4424,6 +4424,7 @@ static struct grub_fs grub_zfs_fs = {\n- GRUB_MOD_INIT (zfs)\n- {\n- COMPILE_TIME_ASSERT (sizeof (zap_leaf_chunk_t) == ZAP_LEAF_CHUNKSIZE);\n-+ grub_zfs_fs.mod = mod;\n- grub_fs_register (&grub_zfs_fs);\n- #ifndef GRUB_UTIL\n- my_mod = mod;\n-diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c\n-index e990507fc..6e7efe89a 100644\n---- a/grub-core/kern/file.c\n-+++ b/grub-core/kern/file.c\n-@@ -25,6 +25,7 @@\n- #include <grub/fs.h>\n- #include <grub/device.h>\n- #include <grub/i18n.h>\n-+#include <grub/dl.h>\n- \n- void (*EXPORT_VAR (grub_grubnet_fini)) (void);\n- \n-@@ -117,6 +118,9 @@ grub_file_open (const char *name, enum grub_file_type type)\n- if (file->data == NULL)\n- goto fail;\n- \n-+ if (file->fs->mod)\n-+ grub_dl_ref (file->fs->mod);\n-+\n- file->name = grub_strdup (name);\n- grub_errno = GRUB_ERR_NONE;\n- \n-@@ -197,6 +201,9 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)\n- grub_err_t\n- grub_file_close (grub_file_t file)\n- {\n-+ if (file->fs->mod)\n-+ grub_dl_unref (file->fs->mod);\n-+\n- if (file->fs->fs_close)\n- (file->fs->fs_close) (file);\n- \n-diff --git a/include/grub/fs.h b/include/grub/fs.h\n-index 026bc3bb8..df4c93b16 100644\n---- a/include/grub/fs.h\n-+++ b/include/grub/fs.h\n-@@ -23,6 +23,7 @@\n- #include <grub/device.h>\n- #include <grub/symbol.h>\n- #include <grub/types.h>\n-+#include <grub/dl.h>\n- \n- #include <grub/list.h>\n- /* For embedding types. */\n-@@ -57,6 +58,9 @@ struct grub_fs\n- /* My name. */\n- const char *name;\n- \n-+ /* My module */\n-+ grub_dl_t mod;\n-+\n- /* Call HOOK with each file under DIR. */\n- grub_err_t (*fs_dir) (grub_device_t device, const char *path,\n- \t\t grub_fs_dir_hook_t hook, void *hook_data);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0020-disk-loopback-Reference-tracking-for-the-loopback.patch b/boot/grub2/0020-disk-loopback-Reference-tracking-for-the-loopback.patch\ndeleted file mode 100644\nindex 5295251e15..0000000000\n--- a/boot/grub2/0020-disk-loopback-Reference-tracking-for-the-loopback.patch\n+++ /dev/null\n@@ -1,108 +0,0 @@\n-From a81ef3044791e7ee02bd349b5ec0adcbf6947555 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 03:26:19 +0100\n-Subject: [PATCH] disk/loopback: Reference tracking for the loopback\n-\n-It was possible to delete a loopback while there were still references\n-to it. This led to an exploitable use-after-free.\n-\n-Fixed by implementing a reference counting in the grub_loopback struct.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 67f70f70a36b6e87a65f928fe1e840a12eafb7ae\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/disk/loopback.c | 18 ++++++++++++++++++\n- include/grub/err.h | 3 ++-\n- 2 files changed, 20 insertions(+), 1 deletion(-)\n-\n-diff --git a/grub-core/disk/loopback.c b/grub-core/disk/loopback.c\n-index 4635dcfde..2bea4e922 100644\n---- a/grub-core/disk/loopback.c\n-+++ b/grub-core/disk/loopback.c\n-@@ -24,6 +24,7 @@\n- #include <grub/mm.h>\n- #include <grub/extcmd.h>\n- #include <grub/i18n.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -33,6 +34,7 @@ struct grub_loopback\n- grub_file_t file;\n- struct grub_loopback *next;\n- unsigned long id;\n-+ grub_uint64_t refcnt;\n- };\n- \n- static struct grub_loopback *loopback_list;\n-@@ -64,6 +66,8 @@ delete_loopback (const char *name)\n- if (! dev)\n- return grub_error (GRUB_ERR_BAD_DEVICE, \"device not found\");\n- \n-+ if (dev->refcnt > 0)\n-+ return grub_error (GRUB_ERR_STILL_REFERENCED, \"device still referenced\");\n- /* Remove the device from the list. */\n- *prev = dev->next;\n- \n-@@ -120,6 +124,7 @@ grub_cmd_loopback (grub_extcmd_context_t ctxt, int argc, char **args)\n- \n- newdev->file = file;\n- newdev->id = last_id++;\n-+ newdev->refcnt = 0;\n- \n- /* Add the new entry to the list. */\n- newdev->next = loopback_list;\n-@@ -161,6 +166,9 @@ grub_loopback_open (const char *name, grub_disk_t disk)\n- if (! dev)\n- return grub_error (GRUB_ERR_UNKNOWN_DEVICE, \"can't open device\");\n- \n-+ if (grub_add (dev->refcnt, 1, &dev->refcnt))\n-+ grub_fatal (\"Reference count overflow\");\n-+\n- /* Use the filesize for the disk size, round up to a complete sector. */\n- if (dev->file->size != GRUB_FILE_SIZE_UNKNOWN)\n- disk->total_sectors = ((dev->file->size + GRUB_DISK_SECTOR_SIZE - 1)\n-@@ -178,6 +186,15 @@ grub_loopback_open (const char *name, grub_disk_t disk)\n- return 0;\n- }\n- \n-+static void\n-+grub_loopback_close (grub_disk_t disk)\n-+{\n-+ struct grub_loopback *dev = disk->data;\n-+\n-+ if (grub_sub (dev->refcnt, 1, &dev->refcnt))\n-+ grub_fatal (\"Reference count underflow\");\n-+}\n-+\n- static grub_err_t\n- grub_loopback_read (grub_disk_t disk, grub_disk_addr_t sector,\n- \t\t grub_size_t size, char *buf)\n-@@ -220,6 +237,7 @@ static struct grub_disk_dev grub_loopback_dev =\n- .id = GRUB_DISK_DEVICE_LOOPBACK_ID,\n- .disk_iterate = grub_loopback_iterate,\n- .disk_open = grub_loopback_open,\n-+ .disk_close = grub_loopback_close,\n- .disk_read = grub_loopback_read,\n- .disk_write = grub_loopback_write,\n- .next = 0\n-diff --git a/include/grub/err.h b/include/grub/err.h\n-index 1c07034cd..b0e54e0a0 100644\n---- a/include/grub/err.h\n-+++ b/include/grub/err.h\n-@@ -73,7 +73,8 @@ typedef enum\n- GRUB_ERR_NET_NO_DOMAIN,\n- GRUB_ERR_EOF,\n- GRUB_ERR_BAD_SIGNATURE,\n-- GRUB_ERR_BAD_FIRMWARE\n-+ GRUB_ERR_BAD_FIRMWARE,\n-+ GRUB_ERR_STILL_REFERENCED\n- }\n- grub_err_t;\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0021-kern-disk-Limit-recursion-depth.patch b/boot/grub2/0021-kern-disk-Limit-recursion-depth.patch\ndeleted file mode 100644\nindex 8d2390ac55..0000000000\n--- a/boot/grub2/0021-kern-disk-Limit-recursion-depth.patch\n+++ /dev/null\n@@ -1,125 +0,0 @@\n-From 195331a7a64c2a4ba754e2527ca8973012db68c9 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 04:09:24 +0100\n-Subject: [PATCH] kern/disk: Limit recursion depth\n-\n-The grub_disk_read() may trigger other disk reads, e.g. via loopbacks.\n-This may lead to very deep recursion which can corrupt the heap. So, fix\n-the issue by limiting reads depth.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 18212f0648b6de7d71d4c8f41eb4d8b78b3a299b\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/kern/disk.c | 27 ++++++++++++++++++++-------\n- include/grub/err.h | 3 ++-\n- 2 files changed, 22 insertions(+), 8 deletions(-)\n-\n-diff --git a/grub-core/kern/disk.c b/grub-core/kern/disk.c\n-index 1eda58fe9..82e04fd00 100644\n---- a/grub-core/kern/disk.c\n-+++ b/grub-core/kern/disk.c\n-@@ -28,6 +28,10 @@\n- \n- #define\tGRUB_CACHE_TIMEOUT\t2\n- \n-+/* Disk reads may trigger other disk reads. So, limit recursion depth. */\n-+#define MAX_READ_RECURSION_DEPTH\t16\n-+static unsigned int read_recursion_depth = 0;\n-+\n- /* The last time the disk was used. */\n- static grub_uint64_t grub_last_time = 0;\n- \n-@@ -417,6 +421,8 @@ grub_err_t\n- grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,\n- \t\tgrub_off_t offset, grub_size_t size, void *buf)\n- {\n-+ grub_err_t err = GRUB_ERR_NONE;\n-+\n- /* First of all, check if the region is within the disk. */\n- if (grub_disk_adjust_range (disk, §or, &offset, size) != GRUB_ERR_NONE)\n- {\n-@@ -427,12 +433,17 @@ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,\n- return grub_errno;\n- }\n- \n-+ if (++read_recursion_depth >= MAX_READ_RECURSION_DEPTH)\n-+ {\n-+ grub_error (GRUB_ERR_RECURSION_DEPTH, \"grub_disk_read(): Maximum recursion depth exceeded\");\n-+ goto error;\n-+ }\n-+\n- /* First read until first cache boundary. */\n- if (offset || (sector & (GRUB_DISK_CACHE_SIZE - 1)))\n- {\n- grub_disk_addr_t start_sector;\n- grub_size_t pos;\n-- grub_err_t err;\n- grub_size_t len;\n- \n- start_sector = sector & ~((grub_disk_addr_t) GRUB_DISK_CACHE_SIZE - 1);\n-@@ -444,7 +455,7 @@ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,\n- err = grub_disk_read_small (disk, start_sector,\n- \t\t\t\t offset + pos, len, buf);\n- if (err)\n--\treturn err;\n-+\tgoto error;\n- buf = (char *) buf + len;\n- size -= len;\n- offset += len;\n-@@ -457,7 +468,6 @@ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,\n- {\n- char *data = NULL;\n- grub_disk_addr_t agglomerate;\n-- grub_err_t err;\n- \n- /* agglomerate read until we find a first cached entry. */\n- for (agglomerate = 0; agglomerate\n-@@ -493,7 +503,7 @@ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,\n- \t\t\t\t\t\t\t- disk->log_sector_size),\n- \t\t\t\t\tbuf);\n- \t if (err)\n--\t return err;\n-+\t goto error;\n- \n- \t for (i = 0; i < agglomerate; i ++)\n- \t grub_disk_cache_store (disk->dev->id, disk->id,\n-@@ -527,13 +537,16 @@ grub_disk_read (grub_disk_t disk, grub_disk_addr_t sector,\n- /* And now read the last part. */\n- if (size)\n- {\n-- grub_err_t err;\n- err = grub_disk_read_small (disk, sector, 0, size, buf);\n- if (err)\n--\treturn err;\n-+\tgoto error;\n- }\n- \n-- return grub_errno;\n-+ err = grub_errno;\n-+\n-+ error:\n-+ read_recursion_depth--;\n-+ return err;\n- }\n- \n- grub_uint64_t\n-diff --git a/include/grub/err.h b/include/grub/err.h\n-index b0e54e0a0..202fa8a7a 100644\n---- a/include/grub/err.h\n-+++ b/include/grub/err.h\n-@@ -74,7 +74,8 @@ typedef enum\n- GRUB_ERR_EOF,\n- GRUB_ERR_BAD_SIGNATURE,\n- GRUB_ERR_BAD_FIRMWARE,\n-- GRUB_ERR_STILL_REFERENCED\n-+ GRUB_ERR_STILL_REFERENCED,\n-+ GRUB_ERR_RECURSION_DEPTH\n- }\n- grub_err_t;\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0022-kern-partition-Limit-recursion-in-part_iterate.patch b/boot/grub2/0022-kern-partition-Limit-recursion-in-part_iterate.patch\ndeleted file mode 100644\nindex 03183abf2f..0000000000\n--- a/boot/grub2/0022-kern-partition-Limit-recursion-in-part_iterate.patch\n+++ /dev/null\n@@ -1,49 +0,0 @@\n-From 3f1c5f55e7ef7b872c3ae59c0c41f1e07508a943 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sat, 16 Nov 2024 21:24:19 +0000\n-Subject: [PATCH] kern/partition: Limit recursion in part_iterate()\n-\n-The part_iterate() is used by grub_partition_iterate() as a callback in\n-the partition iterate functions. However, part_iterate() may also call\n-the partition iterate functions which may lead to recursion. Fix potential\n-issue by limiting the recursion depth.\n-\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 8a7103fddfd6664f41081f3bb88eebbf2871da2a\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/kern/partition.c | 10 +++++++++-\n- 1 file changed, 9 insertions(+), 1 deletion(-)\n-\n-diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c\n-index edad9f9e4..704512a20 100644\n---- a/grub-core/kern/partition.c\n-+++ b/grub-core/kern/partition.c\n-@@ -28,6 +28,9 @@\n- \n- grub_partition_map_t grub_partition_map_list;\n- \n-+#define MAX_RECURSION_DEPTH\t32\n-+static unsigned int recursion_depth = 0;\n-+\n- /*\n- * Checks that disk->partition contains part. This function assumes that the\n- * start of part is relative to the start of disk->partition. Returns 1 if\n-@@ -208,7 +211,12 @@ part_iterate (grub_disk_t dsk, const grub_partition_t partition, void *data)\n- FOR_PARTITION_MAPS(partmap)\n- {\n- \tgrub_err_t err;\n--\terr = partmap->iterate (dsk, part_iterate, ctx);\n-+\trecursion_depth++;\n-+\tif (recursion_depth <= MAX_RECURSION_DEPTH)\n-+\t err = partmap->iterate (dsk, part_iterate, ctx);\n-+\telse\n-+\t err = grub_error (GRUB_ERR_RECURSION_DEPTH, \"maximum recursion depth exceeded\");\n-+\trecursion_depth--;\n- \tif (err)\n- \t grub_errno = GRUB_ERR_NONE;\n- \tif (ctx->ret)\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0023-script-execute-Limit-the-recursion-depth.patch b/boot/grub2/0023-script-execute-Limit-the-recursion-depth.patch\ndeleted file mode 100644\nindex f0e922c27a..0000000000\n--- a/boot/grub2/0023-script-execute-Limit-the-recursion-depth.patch\n+++ /dev/null\n@@ -1,60 +0,0 @@\n-From 2a094a7116c56519a42a13c96e77bdeda6069076 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Thu, 18 Apr 2024 19:04:13 +0100\n-Subject: [PATCH] script/execute: Limit the recursion depth\n-\n-If unbounded recursion is allowed it becomes possible to collide the\n-stack with the heap. As UEFI firmware often lacks guard pages this\n-becomes an exploitable issue as it is possible in some cases to do\n-a controlled overwrite of a section of this heap region with\n-arbitrary data.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: d8a937ccae5c6d86dc4375698afca5cefdcd01e1\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/script/execute.c | 14 ++++++++++++++\n- 1 file changed, 14 insertions(+)\n-\n-diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c\n-index 14ff09094..e1450f45d 100644\n---- a/grub-core/script/execute.c\n-+++ b/grub-core/script/execute.c\n-@@ -33,10 +33,18 @@\n- is sizeof (int) * 3, and one extra for a possible -ve sign. */\n- #define ERRNO_DIGITS_MAX (sizeof (int) * 3 + 1)\n- \n-+/*\n-+ * A limit on recursion, to avoid colliding with the heap. UEFI defines a baseline\n-+ * stack size of 128 KiB. So, assuming at most 1-2 KiB per iteration this should\n-+ * keep us safe.\n-+ */\n-+#define MAX_RECURSION_DEPTH 64\n-+\n- static unsigned long is_continue;\n- static unsigned long active_loops;\n- static unsigned long active_breaks;\n- static unsigned long function_return;\n-+static unsigned long recursion_depth;\n- \n- #define GRUB_SCRIPT_SCOPE_MALLOCED 1\n- #define GRUB_SCRIPT_SCOPE_ARGS_MALLOCED 2\n-@@ -816,7 +824,13 @@ grub_script_execute_cmd (struct grub_script_cmd *cmd)\n- if (cmd == 0)\n- return 0;\n- \n-+ recursion_depth++;\n-+\n-+ if (recursion_depth >= MAX_RECURSION_DEPTH)\n-+ return grub_error (GRUB_ERR_RECURSION_DEPTH, N_(\"maximum recursion depth exceeded\"));\n-+\n- ret = cmd->exec (cmd);\n-+ recursion_depth--;\n- \n- grub_snprintf (errnobuf, sizeof (errnobuf), \"%d\", ret);\n- grub_env_set (\"?\", errnobuf);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0024-net-Unregister-net_default_ip-and-net_default_mac-va.patch b/boot/grub2/0024-net-Unregister-net_default_ip-and-net_default_mac-va.patch\ndeleted file mode 100644\nindex 881493e567..0000000000\n--- a/boot/grub2/0024-net-Unregister-net_default_ip-and-net_default_mac-va.patch\n+++ /dev/null\n@@ -1,34 +0,0 @@\n-From b9a8d2cb984f0a5fd92fe7275dfa280466dd82ce Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Thu, 28 Nov 2024 04:05:04 +0000\n-Subject: [PATCH] net: Unregister net_default_ip and net_default_mac variables\n- hooks on unload\n-\n-The net module is a dependency of normal. So, it shouldn't be possible\n-to unload the net. Though unregister variables hooks as a precaution.\n-It also gets in line with unregistering the other net module hooks.\n-\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: a1dd8e59da26f1a9608381d3a1a6c0f465282b1d\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/net/net.c | 2 ++\n- 1 file changed, 2 insertions(+)\n-\n-diff --git a/grub-core/net/net.c b/grub-core/net/net.c\n-index 8cad4fb6d..f69c67b64 100644\n---- a/grub-core/net/net.c\n-+++ b/grub-core/net/net.c\n-@@ -2072,6 +2072,8 @@ GRUB_MOD_FINI(net)\n- {\n- grub_register_variable_hook (\"net_default_server\", 0, 0);\n- grub_register_variable_hook (\"pxe_default_server\", 0, 0);\n-+ grub_register_variable_hook (\"net_default_ip\", 0, 0);\n-+ grub_register_variable_hook (\"net_default_mac\", 0, 0);\n- \n- grub_bootp_fini ();\n- grub_dns_fini ();\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0025-net-Remove-variables-hooks-when-interface-is-unregis.patch b/boot/grub2/0025-net-Remove-variables-hooks-when-interface-is-unregis.patch\ndeleted file mode 100644\nindex 3c6bd1fc83..0000000000\n--- a/boot/grub2/0025-net-Remove-variables-hooks-when-interface-is-unregis.patch\n+++ /dev/null\n@@ -1,93 +0,0 @@\n-From 883c8721591c1f7a186e2f3cdc8a4f140bd81ce9 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Fri, 1 Nov 2024 23:49:48 +0000\n-Subject: [PATCH] net: Remove variables hooks when interface is unregisted\n-\n-The grub_net_network_level_interface_unregister(), previously\n-implemented in a header, did not remove the variables hooks that\n-were registered in grub_net_network_level_interface_register().\n-Fix this by implementing the same logic used to register the\n-variables and move the function into the grub-core/net/net.c.\n-\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-\n-Conflicts:\n-\tgrub-core/net/net.c\n-\n-Upstream: aa8b4d7facef7b75a2703274b1b9d4e0e734c401\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/net/net.c | 33 +++++++++++++++++++++++++++++++++\n- include/grub/net.h | 11 +----------\n- 2 files changed, 34 insertions(+), 10 deletions(-)\n-\n-diff --git a/grub-core/net/net.c b/grub-core/net/net.c\n-index f69c67b64..8dbb0eada 100644\n---- a/grub-core/net/net.c\n-+++ b/grub-core/net/net.c\n-@@ -1094,6 +1094,39 @@ grub_cmd_delroute (struct grub_command *cmd __attribute__ ((unused)),\n- return GRUB_ERR_NONE;\n- }\n- \n-+void\n-+grub_net_network_level_interface_unregister (struct grub_net_network_level_interface *inter)\n-+{\n-+ char *name;\n-+\n-+ {\n-+ char buf[GRUB_NET_MAX_STR_HWADDR_LEN];\n-+\n-+ grub_net_hwaddr_to_str (&inter->hwaddress, buf);\n-+ name = grub_xasprintf (\"net_%s_mac\", inter->name);\n-+ if (name != NULL)\n-+ grub_register_variable_hook (name, NULL, NULL);\n-+ grub_free (name);\n-+ }\n-+\n-+ {\n-+ char buf[GRUB_NET_MAX_STR_ADDR_LEN];\n-+\n-+ grub_net_addr_to_str (&inter->address, buf);\n-+ name = grub_xasprintf (\"net_%s_ip\", inter->name);\n-+ if (name != NULL)\n-+ grub_register_variable_hook (name, NULL, NULL);\n-+ grub_free (name);\n-+ }\n-+\n-+ inter->card->num_ifaces--;\n-+ *inter->prev = inter->next;\n-+ if (inter->next)\n-+ inter->next->prev = inter->prev;\n-+ inter->next = 0;\n-+ inter->prev = 0;\n-+}\n-+\n- grub_err_t\n- grub_net_add_route (const char *name,\n- \t\t grub_net_network_level_netaddress_t target,\n-diff --git a/include/grub/net.h b/include/grub/net.h\n-index 844e501c1..228d04963 100644\n---- a/include/grub/net.h\n-+++ b/include/grub/net.h\n-@@ -540,16 +540,7 @@ void grub_bootp_fini (void);\n- void grub_dns_init (void);\n- void grub_dns_fini (void);\n- \n--static inline void\n--grub_net_network_level_interface_unregister (struct grub_net_network_level_interface *inter)\n--{\n-- inter->card->num_ifaces--;\n-- *inter->prev = inter->next;\n-- if (inter->next)\n-- inter->next->prev = inter->prev;\n-- inter->next = 0;\n-- inter->prev = 0;\n--}\n-+void grub_net_network_level_interface_unregister (struct grub_net_network_level_interface *inter);\n- \n- void\n- grub_net_tcp_retransmit (void);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0026-net-Fix-OOB-write-in-grub_net_search_config_file.patch b/boot/grub2/0026-net-Fix-OOB-write-in-grub_net_search_config_file.patch\ndeleted file mode 100644\nindex b047b150bc..0000000000\n--- a/boot/grub2/0026-net-Fix-OOB-write-in-grub_net_search_config_file.patch\n+++ /dev/null\n@@ -1,89 +0,0 @@\n-From 7ad4117be44d8cf0443bbc58d49e592a33aaac89 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Fri, 15 Nov 2024 13:12:09 +0000\n-Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()\n-\n-The function included a call to grub_strcpy() which copied data from an\n-environment variable to a buffer allocated in grub_cmd_normal(). The\n-grub_cmd_normal() didn't consider the length of the environment variable.\n-So, the copy operation could exceed the allocation and lead to an OOB\n-write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and\n-pass the underlying buffers size to the grub_net_search_config_file().\n-\n-Fixes: CVE-2025-0624\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-\n-Conflicts:\n-\tgrub-core/normal/main.c\n-\n-Upstream: 5eef88152833062a3f7e017535372d64ac8ef7e1\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/net/net.c | 7 ++++---\n- grub-core/normal/main.c | 2 +-\n- include/grub/net.h | 2 +-\n- 3 files changed, 6 insertions(+), 5 deletions(-)\n-\n-diff --git a/grub-core/net/net.c b/grub-core/net/net.c\n-index 8dbb0eada..2bd490279 100644\n---- a/grub-core/net/net.c\n-+++ b/grub-core/net/net.c\n-@@ -1942,14 +1942,15 @@ grub_config_search_through (char *config, char *suffix,\n- }\n- \n- grub_err_t\n--grub_net_search_config_file (char *config)\n-+grub_net_search_config_file (char *config, grub_size_t config_buf_len)\n- {\n-- grub_size_t config_len;\n-+ grub_size_t config_len, suffix_len;\n- char *suffix;\n- \n- config_len = grub_strlen (config);\n- config[config_len] = '-';\n- suffix = config + config_len + 1;\n-+ suffix_len = config_buf_len - (config_len + 1);\n- \n- struct grub_net_network_level_interface *inf;\n- FOR_NET_NETWORK_LEVEL_INTERFACES (inf)\n-@@ -1975,7 +1976,7 @@ grub_net_search_config_file (char *config)\n- \n- if (client_uuid)\n- {\n-- grub_strcpy (suffix, client_uuid);\n-+ grub_strlcpy (suffix, client_uuid, suffix_len);\n- if (grub_config_search_through (config, suffix, 1, 0) == 0)\n- return GRUB_ERR_NONE;\n- }\n-diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c\n-index bd4431000..3b48cd333 100644\n---- a/grub-core/normal/main.c\n-+++ b/grub-core/normal/main.c\n-@@ -344,7 +344,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),\n- \n- if (grub_strncmp (prefix + 1, \"tftp\", sizeof (\"tftp\") - 1) == 0 &&\n- !disable_net_search)\n-- grub_net_search_config_file (config);\n-+\t grub_net_search_config_file (config, config_len);\n- \n- \t grub_enter_normal_mode (config);\n- \t grub_free (config);\n-diff --git a/include/grub/net.h b/include/grub/net.h\n-index 228d04963..58a4f83fc 100644\n---- a/include/grub/net.h\n-+++ b/include/grub/net.h\n-@@ -570,7 +570,7 @@ void\n- grub_net_remove_dns_server (const struct grub_net_network_level_address *s);\n- \n- grub_err_t\n--grub_net_search_config_file (char *config);\n-+grub_net_search_config_file (char *config, grub_size_t config_buf_len);\n- \n- extern char *grub_net_default_server;\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0027-net-tftp-Fix-stack-buffer-overflow-in-tftp_open.patch b/boot/grub2/0027-net-tftp-Fix-stack-buffer-overflow-in-tftp_open.patch\ndeleted file mode 100644\nindex 76b18ace8f..0000000000\n--- a/boot/grub2/0027-net-tftp-Fix-stack-buffer-overflow-in-tftp_open.patch\n+++ /dev/null\n@@ -1,120 +0,0 @@\n-From 8284fca0f096d01f566eadfdc790232df9f2934e Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Thu, 18 Apr 2024 17:32:34 +0100\n-Subject: [PATCH] net/tftp: Fix stack buffer overflow in tftp_open()\n-\n-An overly long filename can be passed to tftp_open() which would cause\n-grub_normalize_filename() to write out of bounds.\n-\n-Fixed by adding an extra argument to grub_normalize_filename() for the\n-space available, making it act closer to a strlcpy(). As several fixed\n-strings are strcpy()'d after into the same buffer, their total length is\n-checked to see if they exceed the remaining space in the buffer. If so,\n-return an error.\n-\n-On the occasion simplify code a bit by removing unneeded rrqlen zeroing.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 0707accab1b9be5d3645d4700dde3f99209f9367\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/net/tftp.c | 38 ++++++++++++++++++++++++--------------\n- 1 file changed, 24 insertions(+), 14 deletions(-)\n-\n-diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c\n-index 409b1d09b..336b78691 100644\n---- a/grub-core/net/tftp.c\n-+++ b/grub-core/net/tftp.c\n-@@ -266,17 +266,19 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),\n- * forward slashes to a single forward slash.\n- */\n- static void\n--grub_normalize_filename (char *normalized, const char *filename)\n-+grub_normalize_filename (char *normalized, const char *filename, int c)\n- {\n- char *dest = normalized;\n- const char *src = filename;\n- \n-- while (*src != '\\0')\n-+ while (*src != '\\0' && c > 0)\n- {\n- if (src[0] == '/' && src[1] == '/')\n- src++;\n-- else\n-+ else {\n-+ c--;\n- *dest++ = *src++;\n-+ }\n- }\n- *dest = '\\0';\n- }\n-@@ -287,7 +289,7 @@ tftp_open (struct grub_file *file, const char *filename)\n- struct tftphdr *tftph;\n- char *rrq;\n- int i;\n-- int rrqlen;\n-+ int rrqlen, rrqsize;\n- int hdrlen;\n- grub_uint8_t open_data[1500];\n- struct grub_net_buff nb;\n-@@ -315,37 +317,45 @@ tftp_open (struct grub_file *file, const char *filename)\n- \n- tftph = (struct tftphdr *) nb.data;\n- \n-- rrq = (char *) tftph->u.rrq;\n-- rrqlen = 0;\n--\n- tftph->opcode = grub_cpu_to_be16_compile_time (TFTP_RRQ);\n- \n-+ rrq = (char *) tftph->u.rrq;\n-+ rrqsize = sizeof (tftph->u.rrq);\n-+\n- /*\n- * Copy and normalize the filename to work-around issues on some TFTP\n- * servers when file names are being matched for remapping.\n- */\n-- grub_normalize_filename (rrq, filename);\n-- rrqlen += grub_strlen (rrq) + 1;\n-+ grub_normalize_filename (rrq, filename, rrqsize);\n-+\n-+ rrqlen = grub_strlen (rrq) + 1;\n- rrq += grub_strlen (rrq) + 1;\n- \n-- grub_strcpy (rrq, \"octet\");\n-+ /* Verify there is enough space for the remaining components. */\n- rrqlen += grub_strlen (\"octet\") + 1;\n-+ rrqlen += grub_strlen (\"blksize\") + 1;\n-+ rrqlen += grub_strlen (\"1024\") + 1;\n-+ rrqlen += grub_strlen (\"tsize\") + 1;\n-+ rrqlen += grub_strlen (\"0\") + 1;\n-+\n-+ if (rrqlen >= rrqsize) {\n-+ grub_free (data);\n-+ return grub_error (GRUB_ERR_BAD_FILENAME, N_(\"filename too long\"));\n-+ }\n-+\n-+ grub_strcpy (rrq, \"octet\");\n- rrq += grub_strlen (\"octet\") + 1;\n- \n- grub_strcpy (rrq, \"blksize\");\n-- rrqlen += grub_strlen (\"blksize\") + 1;\n- rrq += grub_strlen (\"blksize\") + 1;\n- \n- grub_strcpy (rrq, \"1024\");\n-- rrqlen += grub_strlen (\"1024\") + 1;\n- rrq += grub_strlen (\"1024\") + 1;\n- \n- grub_strcpy (rrq, \"tsize\");\n-- rrqlen += grub_strlen (\"tsize\") + 1;\n- rrq += grub_strlen (\"tsize\") + 1;\n- \n- grub_strcpy (rrq, \"0\");\n-- rrqlen += grub_strlen (\"0\") + 1;\n- rrq += grub_strlen (\"0\") + 1;\n- hdrlen = sizeof (tftph->opcode) + rrqlen;\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0028-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch b/boot/grub2/0028-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch\ndeleted file mode 100644\nindex 6ea951225a..0000000000\n--- a/boot/grub2/0028-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch\n+++ /dev/null\n@@ -1,38 +0,0 @@\n-From 8368710fbce5c040227fca8bf10828ad1632f84f Mon Sep 17 00:00:00 2001\n-From: Daniel Axtens <dja@axtens.net>\n-Date: Fri, 8 Mar 2024 22:47:20 +1100\n-Subject: [PATCH] video/readers/jpeg: Do not permit duplicate SOF0 markers in\n- JPEG\n-\n-Otherwise a subsequent header could change the height and width\n-allowing future OOB writes.\n-\n-Fixes: CVE-2024-45774\n-\n-Reported-by: Nils Langius <nils@langius.de>\n-Signed-off-by: Daniel Axtens <dja@axtens.net>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 2c34af908ebf4856051ed29e46d88abd2b20387f\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/video/readers/jpeg.c | 4 ++++\n- 1 file changed, 4 insertions(+)\n-\n-diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c\n-index ae634fd41..631a89356 100644\n---- a/grub-core/video/readers/jpeg.c\n-+++ b/grub-core/video/readers/jpeg.c\n-@@ -339,6 +339,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)\n- if (grub_errno != GRUB_ERR_NONE)\n- return grub_errno;\n- \n-+ if (data->image_height != 0 || data->image_width != 0)\n-+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,\n-+\t\t \"jpeg: cannot have duplicate SOF0 markers\");\n-+\n- if (grub_jpeg_get_byte (data) != 8)\n- return grub_error (GRUB_ERR_BAD_FILE_TYPE,\n- \t\t \"jpeg: only 8-bit precision is supported\");\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0029-kern-dl-Fix-for-an-integer-overflow-in-grub_dl_ref.patch b/boot/grub2/0029-kern-dl-Fix-for-an-integer-overflow-in-grub_dl_ref.patch\ndeleted file mode 100644\nindex cea0dede41..0000000000\n--- a/boot/grub2/0029-kern-dl-Fix-for-an-integer-overflow-in-grub_dl_ref.patch\n+++ /dev/null\n@@ -1,143 +0,0 @@\n-From 4d70ddc5255b6d3f752da4120f593d7007222ca2 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Thu, 18 Apr 2024 15:59:26 +0100\n-Subject: [PATCH] kern/dl: Fix for an integer overflow in grub_dl_ref()\n-\n-It was possible to overflow the value of mod->ref_count, a signed\n-integer, by repeatedly invoking insmod on an already loaded module.\n-This led to a use-after-free. As once ref_count was overflowed it became\n-possible to unload the module while there was still references to it.\n-\n-This resolves the issue by using grub_add() to check if the ref_count\n-will overflow and then stops further increments. Further changes were\n-also made to grub_dl_unref() to check for the underflow condition and\n-the reference count was changed to an unsigned 64-bit integer.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 500e5fdd82ca40412b0b73f5e5dda38e4a3af96d\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/commands/minicmd.c | 2 +-\n- grub-core/kern/dl.c | 17 ++++++++++++-----\n- include/grub/dl.h | 8 ++++----\n- util/misc.c | 4 ++--\n- 4 files changed, 19 insertions(+), 12 deletions(-)\n-\n-diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c\n-index fa498931e..286290866 100644\n---- a/grub-core/commands/minicmd.c\n-+++ b/grub-core/commands/minicmd.c\n-@@ -167,7 +167,7 @@ grub_mini_cmd_lsmod (struct grub_command *cmd __attribute__ ((unused)),\n- {\n- grub_dl_dep_t dep;\n- \n-- grub_printf (\"%s\\t%d\\t\\t\", mod->name, mod->ref_count);\n-+ grub_printf (\"%s\\t%\" PRIuGRUB_UINT64_T \"\\t\\t\", mod->name, mod->ref_count);\n- for (dep = mod->dep; dep; dep = dep->next)\n- {\n- \tif (dep != mod->dep)\n-diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c\n-index 0bf40caa6..1a38742e6 100644\n---- a/grub-core/kern/dl.c\n-+++ b/grub-core/kern/dl.c\n-@@ -32,6 +32,7 @@\n- #include <grub/env.h>\n- #include <grub/cache.h>\n- #include <grub/i18n.h>\n-+#include <grub/safemath.h>\n- \n- /* Platforms where modules are in a readonly area of memory. */\n- #if defined(GRUB_MACHINE_QEMU)\n-@@ -532,7 +533,7 @@ grub_dl_resolve_dependencies (grub_dl_t mod, Elf_Ehdr *e)\n- return GRUB_ERR_NONE;\n- }\n- \n--int\n-+grub_uint64_t\n- grub_dl_ref (grub_dl_t mod)\n- {\n- grub_dl_dep_t dep;\n-@@ -543,10 +544,13 @@ grub_dl_ref (grub_dl_t mod)\n- for (dep = mod->dep; dep; dep = dep->next)\n- grub_dl_ref (dep->mod);\n- \n-- return ++mod->ref_count;\n-+ if (grub_add (mod->ref_count, 1, &mod->ref_count))\n-+ grub_fatal (\"Module reference count overflow\");\n-+\n-+ return mod->ref_count;\n- }\n- \n--int\n-+grub_uint64_t\n- grub_dl_unref (grub_dl_t mod)\n- {\n- grub_dl_dep_t dep;\n-@@ -557,10 +561,13 @@ grub_dl_unref (grub_dl_t mod)\n- for (dep = mod->dep; dep; dep = dep->next)\n- grub_dl_unref (dep->mod);\n- \n-- return --mod->ref_count;\n-+ if (grub_sub (mod->ref_count, 1, &mod->ref_count))\n-+ grub_fatal (\"Module reference count underflow\");\n-+\n-+ return mod->ref_count;\n- }\n- \n--int\n-+grub_uint64_t\n- grub_dl_ref_count (grub_dl_t mod)\n- {\n- if (mod == NULL)\n-diff --git a/include/grub/dl.h b/include/grub/dl.h\n-index cd1f46c8b..f0a94e273 100644\n---- a/include/grub/dl.h\n-+++ b/include/grub/dl.h\n-@@ -174,7 +174,7 @@ typedef struct grub_dl_dep *grub_dl_dep_t;\n- struct grub_dl\n- {\n- char *name;\n-- int ref_count;\n-+ grub_uint64_t ref_count;\n- int persistent;\n- grub_dl_dep_t dep;\n- grub_dl_segment_t segment;\n-@@ -203,9 +203,9 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);\n- grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);\n- grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);\n- int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);\n--extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);\n--extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);\n--extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);\n-+extern grub_uint64_t EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);\n-+extern grub_uint64_t EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);\n-+extern grub_uint64_t EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);\n- \n- extern grub_dl_t EXPORT_VAR(grub_dl_head);\n- \n-diff --git a/util/misc.c b/util/misc.c\n-index d545212d9..0f928e5b4 100644\n---- a/util/misc.c\n-+++ b/util/misc.c\n-@@ -190,14 +190,14 @@ grub_xputs_real (const char *str)\n- \n- void (*grub_xputs) (const char *str) = grub_xputs_real;\n- \n--int\n-+grub_uint64_t\n- grub_dl_ref (grub_dl_t mod)\n- {\n- (void) mod;\n- return 0;\n- }\n- \n--int\n-+grub_uint64_t\n- grub_dl_unref (grub_dl_t mod)\n- {\n- (void) mod;\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0030-kern-dl-Check-for-the-SHF_INFO_LINK-flag-in-grub_dl_.patch b/boot/grub2/0030-kern-dl-Check-for-the-SHF_INFO_LINK-flag-in-grub_dl_.patch\ndeleted file mode 100644\nindex 9ca04547d4..0000000000\n--- a/boot/grub2/0030-kern-dl-Check-for-the-SHF_INFO_LINK-flag-in-grub_dl_.patch\n+++ /dev/null\n@@ -1,46 +0,0 @@\n-From 91c2e44d3d29d11b339bec954142521148924ed1 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Thu, 7 Nov 2024 06:00:36 +0000\n-Subject: [PATCH] kern/dl: Check for the SHF_INFO_LINK flag in\n- grub_dl_relocate_symbols()\n-\n-The grub_dl_relocate_symbols() iterates through the sections in\n-an ELF looking for relocation sections. According to the spec [1]\n-the SHF_INFO_LINK flag should be set if the sh_info field is meant\n-to be a section index.\n-\n-[1] https://refspecs.linuxbase.org/elf/gabi4+/ch4.sheader.html\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-\n-Conflicts:\n-\tgrub-core/kern/dl.c\n-\n-Conflicts:\n-\tgrub-core/kern/dl.c\n-\n-Upstream: 98ad84328dcabfa603dcf5bd217570aa6b4bdd99\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/kern/dl.c | 3 +++\n- 1 file changed, 3 insertions(+)\n-\n-diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c\n-index 1a38742e6..958de3bf1 100644\n---- a/grub-core/kern/dl.c\n-+++ b/grub-core/kern/dl.c\n-@@ -599,6 +599,9 @@ grub_dl_relocate_symbols (grub_dl_t mod, void *ehdr)\n- \tgrub_dl_segment_t seg;\n- \tgrub_err_t err;\n- \n-+ if (!(s->sh_flags & SHF_INFO_LINK))\n-+ continue;\n-+\n- \t/* Find the target segment. */\n- \tfor (seg = mod->segment; seg; seg = seg->next)\n- \t if (seg->section == s->sh_info)\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0031-commands-extcmd-Missing-check-for-failed-allocation.patch b/boot/grub2/0031-commands-extcmd-Missing-check-for-failed-allocation.patch\ndeleted file mode 100644\nindex 8a1cdd867d..0000000000\n--- a/boot/grub2/0031-commands-extcmd-Missing-check-for-failed-allocation.patch\n+++ /dev/null\n@@ -1,39 +0,0 @@\n-From 239a16a303228574f61a82c6fbb041688dff65d0 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Fri, 22 Nov 2024 06:27:55 +0000\n-Subject: [PATCH] commands/extcmd: Missing check for failed allocation\n-\n-The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate\n-a grub_arg_list struct but it does not verify the allocation was successful.\n-In case of failed allocation the NULL state pointer can be accessed in\n-parse_option() through grub_arg_parse() which may lead to a security issue.\n-\n-Fixes: CVE-2024-45775\n-\n-Reported-by: Nils Langius <nils@langius.de>\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>\n-Upstream: 05be856a8c3aae41f5df90cab7796ab7ee34b872\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/commands/extcmd.c | 3 +++\n- 1 file changed, 3 insertions(+)\n-\n-diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c\n-index 90a5ca24a..c236be13a 100644\n---- a/grub-core/commands/extcmd.c\n-+++ b/grub-core/commands/extcmd.c\n-@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,\n- }\n- \n- state = grub_arg_list_alloc (ext, argc, args);\n-+ if (state == NULL)\n-+ return grub_errno;\n-+\n- if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))\n- {\n- context.state = state;\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0032-commands-ls-Fix-NULL-dereference.patch b/boot/grub2/0032-commands-ls-Fix-NULL-dereference.patch\ndeleted file mode 100644\nindex 48b03e74f4..0000000000\n--- a/boot/grub2/0032-commands-ls-Fix-NULL-dereference.patch\n+++ /dev/null\n@@ -1,37 +0,0 @@\n-From 322d82364cc0db30b1ae4fc0adfdf7a43adc91ef Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Sun, 12 May 2024 11:08:23 +0100\n-Subject: [PATCH] commands/ls: Fix NULL dereference\n-\n-The grub_strrchr() may return NULL when the dirname do not contain \"/\".\n-This can happen on broken filesystems.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 0bf56bce47489c059e50e61a3db7f682d8c44b56\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/commands/ls.c | 6 +++++-\n- 1 file changed, 5 insertions(+), 1 deletion(-)\n-\n-diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c\n-index 6a1c7f5d3..f660946a2 100644\n---- a/grub-core/commands/ls.c\n-+++ b/grub-core/commands/ls.c\n-@@ -241,7 +241,11 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)\n- \n- \t grub_file_close (file);\n- \n--\t p = grub_strrchr (dirname, '/') + 1;\n-+\t p = grub_strrchr (dirname, '/');\n-+\t if (p == NULL)\n-+\t goto fail;\n-+\t ++p;\n-+\n- \t ctx.dirname = grub_strndup (dirname, p - dirname);\n- \t if (ctx.dirname == NULL)\n- \t goto fail;\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0033-commands-pgp-Unregister-the-check_signatures-hooks-o.patch b/boot/grub2/0033-commands-pgp-Unregister-the-check_signatures-hooks-o.patch\ndeleted file mode 100644\nindex 6bfc0dd7c3..0000000000\n--- a/boot/grub2/0033-commands-pgp-Unregister-the-check_signatures-hooks-o.patch\n+++ /dev/null\n@@ -1,36 +0,0 @@\n-From c05c4d591ef5f21fefd95fc928fe123a12f2bfb0 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Fri, 1 Nov 2024 19:24:29 +0000\n-Subject: [PATCH] commands/pgp: Unregister the \"check_signatures\" hooks on\n- module unload\n-\n-If the hooks are not removed they can be called after the module has\n-been unloaded leading to an use-after-free.\n-\n-Fixes: CVE-2025-0622\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 2123c5bca7e21fbeb0263df4597ddd7054700726\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/commands/pgp.c | 2 ++\n- 1 file changed, 2 insertions(+)\n-\n-diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c\n-index c6766f044..5fadc33c4 100644\n---- a/grub-core/commands/pgp.c\n-+++ b/grub-core/commands/pgp.c\n-@@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp)\n- \n- GRUB_MOD_FINI(pgp)\n- {\n-+ grub_register_variable_hook (\"check_signatures\", NULL, NULL);\n-+ grub_env_unset (\"check_signatures\");\n- grub_verifier_unregister (&grub_pubkey_verifier);\n- grub_unregister_extcmd (cmd);\n- grub_unregister_extcmd (cmd_trust);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0034-normal-Remove-variables-hooks-on-module-unload.patch b/boot/grub2/0034-normal-Remove-variables-hooks-on-module-unload.patch\ndeleted file mode 100644\nindex a2028ad6c0..0000000000\n--- a/boot/grub2/0034-normal-Remove-variables-hooks-on-module-unload.patch\n+++ /dev/null\n@@ -1,42 +0,0 @@\n-From 6290cc499f0fcaa82b3764cf1d9beb2ff27d82a1 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Fri, 1 Nov 2024 23:46:55 +0000\n-Subject: [PATCH] normal: Remove variables hooks on module unload\n-\n-The normal module does not entirely cleanup after itself in\n-its GRUB_MOD_FINI() leaving a few variables hooks in place.\n-It is not possible to unload normal module now but fix the\n-issues for completeness.\n-\n-On the occasion replace 0s with NULLs for \"pager\" variable\n-hooks unregister.\n-\n-Fixes: CVE-2025-0622\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 9c16197734ada8d0838407eebe081117799bfe67\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/normal/main.c | 4 +++-\n- 1 file changed, 3 insertions(+), 1 deletion(-)\n-\n-diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c\n-index 3b48cd333..5d848c864 100644\n---- a/grub-core/normal/main.c\n-+++ b/grub-core/normal/main.c\n-@@ -582,7 +582,9 @@ GRUB_MOD_FINI(normal)\n- grub_xputs = grub_xputs_saved;\n- \n- grub_set_history (0);\n-- grub_register_variable_hook (\"pager\", 0, 0);\n-+ grub_register_variable_hook (\"pager\", NULL, NULL);\n-+ grub_register_variable_hook (\"color_normal\", NULL, NULL);\n-+ grub_register_variable_hook (\"color_highlight\", NULL, NULL);\n- grub_fs_autoload_hook = 0;\n- grub_unregister_command (cmd_clear);\n- }\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0035-gettext-Remove-variables-hooks-on-module-unload.patch b/boot/grub2/0035-gettext-Remove-variables-hooks-on-module-unload.patch\ndeleted file mode 100644\nindex caf9764131..0000000000\n--- a/boot/grub2/0035-gettext-Remove-variables-hooks-on-module-unload.patch\n+++ /dev/null\n@@ -1,39 +0,0 @@\n-From 69e0cb299c479e01e1c13a032172d29293db8e69 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Fri, 1 Nov 2024 23:52:06 +0000\n-Subject: [PATCH] gettext: Remove variables hooks on module unload\n-\n-The gettext module does not entirely cleanup after itself in\n-its GRUB_MOD_FINI() leaving a few variables hooks in place.\n-It is not possible to unload gettext module because normal\n-module depends on it. Though fix the issues for completeness.\n-\n-Fixes: CVE-2025-0622\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 7580addfc8c94cedb0cdfd7a1fd65b539215e637\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/gettext/gettext.c | 4 ++++\n- 1 file changed, 4 insertions(+)\n-\n-diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c\n-index 7a1c14e4f..e4f4f8ee6 100644\n---- a/grub-core/gettext/gettext.c\n-+++ b/grub-core/gettext/gettext.c\n-@@ -535,6 +535,10 @@ GRUB_MOD_INIT (gettext)\n- \n- GRUB_MOD_FINI (gettext)\n- {\n-+ grub_register_variable_hook (\"locale_dir\", NULL, NULL);\n-+ grub_register_variable_hook (\"secondary_locale_dir\", NULL, NULL);\n-+ grub_register_variable_hook (\"lang\", NULL, NULL);\n-+\n- grub_gettext_delete_list (&main_context);\n- grub_gettext_delete_list (&secondary_context);\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0036-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch b/boot/grub2/0036-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch\ndeleted file mode 100644\nindex 84d2fd9bc8..0000000000\n--- a/boot/grub2/0036-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch\n+++ /dev/null\n@@ -1,40 +0,0 @@\n-From 31b3e24947c6dbb65ea2eca30ddd168dc47513ce Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Fri, 22 Nov 2024 06:27:56 +0000\n-Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read\n-\n-Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may\n-overflow leading to subsequent OOB write or read. This patch fixes the\n-issue by replacing grub_zalloc() and explicit multiplication with\n-grub_calloc() which does the same thing in safe manner.\n-\n-Fixes: CVE-2024-45776\n-\n-Reported-by: Nils Langius <nils@langius.de>\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>\n-Upstream: 09bd6eb58b0f71ec273916070fa1e2de16897a91\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/gettext/gettext.c | 4 ++--\n- 1 file changed, 2 insertions(+), 2 deletions(-)\n-\n-diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c\n-index e4f4f8ee6..63bb1ab73 100644\n---- a/grub-core/gettext/gettext.c\n-+++ b/grub-core/gettext/gettext.c\n-@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,\n- for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;\n- ctx->grub_gettext_max_log++);\n- \n-- ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max\n--\t\t\t\t\t * sizeof (ctx->grub_gettext_msg_list[0]));\n-+ ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,\n-+\t\t\t\t\t sizeof (ctx->grub_gettext_msg_list[0]));\n- if (!ctx->grub_gettext_msg_list)\n- {\n- grub_file_close (fd);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0037-gettext-Integer-overflow-leads-to-heap-OOB-write.patch b/boot/grub2/0037-gettext-Integer-overflow-leads-to-heap-OOB-write.patch\ndeleted file mode 100644\nindex b9638caabb..0000000000\n--- a/boot/grub2/0037-gettext-Integer-overflow-leads-to-heap-OOB-write.patch\n+++ /dev/null\n@@ -1,58 +0,0 @@\n-From dfe673e457e9eb5c7c0c68d8385ba176476de7d7 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Fri, 22 Nov 2024 06:27:57 +0000\n-Subject: [PATCH] gettext: Integer overflow leads to heap OOB write\n-\n-The size calculation of the translation buffer in\n-grub_gettext_getstr_from_position() may overflow\n-to 0 leading to heap OOB write. This patch fixes\n-the issue by using grub_add() and checking for\n-an overflow.\n-\n-CVE: CVE-2024-45777\n-\n-Reported-by: Nils Langius <nils@langius.de>\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Reviewed-by: Alec Brown <alec.r.brown@oracle.com>\n-Upstream: b970a5ed967816bbca8225994cd0ee2557bad515\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/gettext/gettext.c | 7 ++++++-\n- 1 file changed, 6 insertions(+), 1 deletion(-)\n-\n-diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c\n-index 63bb1ab73..9ffc73428 100644\n---- a/grub-core/gettext/gettext.c\n-+++ b/grub-core/gettext/gettext.c\n-@@ -26,6 +26,7 @@\n- #include <grub/file.h>\n- #include <grub/kernel.h>\n- #include <grub/i18n.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,\n- char *translation;\n- struct string_descriptor desc;\n- grub_err_t err;\n-+ grub_size_t alloc_sz;\n- \n- internal_position = (off + position * sizeof (desc));\n- \n-@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,\n- length = grub_cpu_to_le32 (desc.length);\n- offset = grub_cpu_to_le32 (desc.offset);\n- \n-- translation = grub_malloc (length + 1);\n-+ if (grub_add (length, 1, &alloc_sz))\n-+ return NULL;\n-+\n-+ translation = grub_malloc (alloc_sz);\n- if (!translation)\n- return NULL;\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0038-commands-read-Fix-an-integer-overflow-when-supplying.patch b/boot/grub2/0038-commands-read-Fix-an-integer-overflow-when-supplying.patch\ndeleted file mode 100644\nindex c3e1d8b5bf..0000000000\n--- a/boot/grub2/0038-commands-read-Fix-an-integer-overflow-when-supplying.patch\n+++ /dev/null\n@@ -1,74 +0,0 @@\n-From 762eda67c7b0e83011040d5dbcc2ddc9a03b90cd Mon Sep 17 00:00:00 2001\n-From: Jonathan Bar Or <jonathanbaror@gmail.com>\n-Date: Thu, 23 Jan 2025 19:17:05 +0100\n-Subject: [PATCH] commands/read: Fix an integer overflow when supplying more\n- than 2^31 characters\n-\n-The grub_getline() function currently has a signed integer variable \"i\"\n-that can be overflown when user supplies more than 2^31 characters.\n-It results in a memory corruption of the allocated line buffer as well\n-as supplying large negative values to grub_realloc().\n-\n-Fixes: CVE-2025-0690\n-\n-Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>\n-Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: dad8f502974ed9ad0a70ae6820d17b4b142558fc\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/commands/read.c | 19 +++++++++++++++----\n- 1 file changed, 15 insertions(+), 4 deletions(-)\n-\n-diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c\n-index 597c90706..8d72e45c9 100644\n---- a/grub-core/commands/read.c\n-+++ b/grub-core/commands/read.c\n-@@ -25,6 +25,7 @@\n- #include <grub/types.h>\n- #include <grub/extcmd.h>\n- #include <grub/i18n.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -37,13 +38,14 @@ static const struct grub_arg_option options[] =\n- static char *\n- grub_getline (int silent)\n- {\n-- int i;\n-+ grub_size_t i;\n- char *line;\n- char *tmp;\n- int c;\n-+ grub_size_t alloc_size;\n- \n- i = 0;\n-- line = grub_malloc (1 + i + sizeof('\\0'));\n-+ line = grub_malloc (1 + sizeof('\\0'));\n- if (! line)\n- return NULL;\n- \n-@@ -59,8 +61,17 @@ grub_getline (int silent)\n- line[i] = (char) c;\n- if (!silent)\n- \tgrub_printf (\"%c\", c);\n-- i++;\n-- tmp = grub_realloc (line, 1 + i + sizeof('\\0'));\n-+ if (grub_add (i, 1, &i))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow is detected\"));\n-+ return NULL;\n-+ }\n-+ if (grub_add (i, 1 + sizeof('\\0'), &alloc_size))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow is detected\"));\n-+ return NULL;\n-+ }\n-+ tmp = grub_realloc (line, alloc_size);\n- if (! tmp)\n- \t{\n- \t grub_free (line);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0039-commands-test-Stack-overflow-due-to-unlimited-recurs.patch b/boot/grub2/0039-commands-test-Stack-overflow-due-to-unlimited-recurs.patch\ndeleted file mode 100644\nindex 73675cc3d9..0000000000\n--- a/boot/grub2/0039-commands-test-Stack-overflow-due-to-unlimited-recurs.patch\n+++ /dev/null\n@@ -1,88 +0,0 @@\n-From 926fe49003b6b46d595d5900893c8ca79710bbd2 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Mon, 16 Dec 2024 20:22:41 +0000\n-Subject: [PATCH] commands/test: Stack overflow due to unlimited recursion\n- depth\n-\n-The test_parse() evaluates test expression recursively. Due to lack of\n-recursion depth check a specially crafted expression may cause a stack\n-overflow. The recursion is only triggered by the parentheses usage and\n-it can be unlimited. However, sensible expressions are unlikely to\n-contain more than a few parentheses. So, this patch limits the recursion\n-depth to 100, which should be sufficient.\n-\n-Reported-by: Nils Langius <nils@langius.de>\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: c68b7d23628a19da67ebe2e06f84165ee04961af\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/commands/test.c | 21 ++++++++++++++++++---\n- 1 file changed, 18 insertions(+), 3 deletions(-)\n-\n-diff --git a/grub-core/commands/test.c b/grub-core/commands/test.c\n-index 62d3fb398..b585c3d70 100644\n---- a/grub-core/commands/test.c\n-+++ b/grub-core/commands/test.c\n-@@ -29,6 +29,9 @@\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-+/* Set a limit on recursion to avoid stack overflow. */\n-+#define MAX_TEST_RECURSION_DEPTH\t100\n-+\n- /* A simple implementation for signed numbers. */\n- static int\n- grub_strtosl (char *arg, const char ** const end, int base)\n-@@ -150,7 +153,7 @@ get_fileinfo (char *path, struct test_parse_ctx *ctx)\n- \n- /* Parse a test expression starting from *argn. */\n- static int\n--test_parse (char **args, int *argn, int argc)\n-+test_parse (char **args, int *argn, int argc, int *depth)\n- {\n- struct test_parse_ctx ctx = {\n- .and = 1,\n-@@ -387,13 +390,24 @@ test_parse (char **args, int *argn, int argc)\n- if (grub_strcmp (args[*argn], \")\") == 0)\n- \t{\n- \t (*argn)++;\n-+\t if (*depth > 0)\n-+\t (*depth)--;\n-+\n- \t return ctx.or || ctx.and;\n- \t}\n- /* Recursively invoke if parenthesis. */\n- if (grub_strcmp (args[*argn], \"(\") == 0)\n- \t{\n- \t (*argn)++;\n--\t update_val (test_parse (args, argn, argc), &ctx);\n-+\n-+\t if (++(*depth) > MAX_TEST_RECURSION_DEPTH)\n-+\t {\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"max recursion depth exceeded\"));\n-+\t depth--;\n-+\t return ctx.or || ctx.and;\n-+\t }\n-+\n-+\t update_val (test_parse (args, argn, argc, depth), &ctx);\n- \t continue;\n- \t}\n- \n-@@ -428,11 +442,12 @@ grub_cmd_test (grub_command_t cmd __attribute__ ((unused)),\n- \t int argc, char **args)\n- {\n- int argn = 0;\n-+ int depth = 0;\n- \n- if (argc >= 1 && grub_strcmp (args[argc - 1], \"]\") == 0)\n- argc--;\n- \n-- return test_parse (args, &argn, argc) ? GRUB_ERR_NONE\n-+ return test_parse (args, &argn, argc, &depth) ? GRUB_ERR_NONE\n- : grub_error (GRUB_ERR_TEST_FAILURE, N_(\"false\"));\n- }\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0040-commands-minicmd-Block-the-dump-command-in-lockdown-.patch b/boot/grub2/0040-commands-minicmd-Block-the-dump-command-in-lockdown-.patch\ndeleted file mode 100644\nindex 23e02cfa1a..0000000000\n--- a/boot/grub2/0040-commands-minicmd-Block-the-dump-command-in-lockdown-.patch\n+++ /dev/null\n@@ -1,38 +0,0 @@\n-From 2864e6ca7ac492d5215c369a6a52a57c6e602f55 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Thu, 18 Apr 2024 20:29:39 +0100\n-Subject: [PATCH] commands/minicmd: Block the dump command in lockdown mode\n-\n-The dump enables a user to read memory which should not be possible\n-in lockdown mode.\n-\n-Fixes: CVE-2025-1118\n-\n-Reported-by: B Horn <b@horn.uk>\n-Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 34824806ac6302f91e8cabaa41308eaced25725f\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/commands/minicmd.c | 4 ++--\n- 1 file changed, 2 insertions(+), 2 deletions(-)\n-\n-diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c\n-index 286290866..8c5ee3e60 100644\n---- a/grub-core/commands/minicmd.c\n-+++ b/grub-core/commands/minicmd.c\n-@@ -203,8 +203,8 @@ GRUB_MOD_INIT(minicmd)\n- grub_register_command (\"help\", grub_mini_cmd_help,\n- \t\t\t 0, N_(\"Show this message.\"));\n- cmd_dump =\n-- grub_register_command (\"dump\", grub_mini_cmd_dump,\n--\t\t\t N_(\"ADDR [SIZE]\"), N_(\"Show memory contents.\"));\n-+ grub_register_command_lockdown (\"dump\", grub_mini_cmd_dump,\n-+\t\t\t\t N_(\"ADDR [SIZE]\"), N_(\"Show memory contents.\"));\n- cmd_rmmod =\n- grub_register_command (\"rmmod\", grub_mini_cmd_rmmod,\n- \t\t\t N_(\"MODULE\"), N_(\"Remove a module.\"));\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0041-commands-memrw-Disable-memory-reading-in-lockdown-mo.patch b/boot/grub2/0041-commands-memrw-Disable-memory-reading-in-lockdown-mo.patch\ndeleted file mode 100644\nindex 968a42f4f9..0000000000\n--- a/boot/grub2/0041-commands-memrw-Disable-memory-reading-in-lockdown-mo.patch\n+++ /dev/null\n@@ -1,55 +0,0 @@\n-From 51c3e37bb23b3ce1919f3ff582cb31fc32a10b4b Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Thu, 18 Apr 2024 20:37:10 +0100\n-Subject: [PATCH] commands/memrw: Disable memory reading in lockdown mode\n-\n-With the rest of module being blocked in lockdown mode it does not make\n-a lot of sense to leave memory reading enabled. This also goes in par\n-with disabling the dump command.\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 340e4d058f584534f4b90b7dbea2b64a9f8c418c\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/commands/memrw.c | 21 ++++++++++++---------\n- 1 file changed, 12 insertions(+), 9 deletions(-)\n-\n-diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c\n-index d401a6db0..3542683d1 100644\n---- a/grub-core/commands/memrw.c\n-+++ b/grub-core/commands/memrw.c\n-@@ -122,17 +122,20 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)\n- GRUB_MOD_INIT(memrw)\n- {\n- cmd_read_byte =\n-- grub_register_extcmd (\"read_byte\", grub_cmd_read, 0,\n--\t\t\t N_(\"ADDR\"), N_(\"Read 8-bit value from ADDR.\"),\n--\t\t\t options);\n-+ grub_register_extcmd_lockdown (\"read_byte\", grub_cmd_read, 0,\n-+ N_(\"ADDR\"),\n-+ N_(\"Read 8-bit value from ADDR.\"),\n-+ options);\n- cmd_read_word =\n-- grub_register_extcmd (\"read_word\", grub_cmd_read, 0,\n--\t\t\t N_(\"ADDR\"), N_(\"Read 16-bit value from ADDR.\"),\n--\t\t\t options);\n-+ grub_register_extcmd_lockdown (\"read_word\", grub_cmd_read, 0,\n-+ N_(\"ADDR\"),\n-+ N_(\"Read 16-bit value from ADDR.\"),\n-+ options);\n- cmd_read_dword =\n-- grub_register_extcmd (\"read_dword\", grub_cmd_read, 0,\n--\t\t\t N_(\"ADDR\"), N_(\"Read 32-bit value from ADDR.\"),\n--\t\t\t options);\n-+ grub_register_extcmd_lockdown (\"read_dword\", grub_cmd_read, 0,\n-+ N_(\"ADDR\"),\n-+ N_(\"Read 32-bit value from ADDR.\"),\n-+ options);\n- cmd_write_byte =\n- grub_register_command_lockdown (\"write_byte\", grub_cmd_write,\n- N_(\"ADDR VALUE [MASK]\"),\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0042-commands-hexdump-Disable-memory-reading-in-lockdown-.patch b/boot/grub2/0042-commands-hexdump-Disable-memory-reading-in-lockdown-.patch\ndeleted file mode 100644\nindex fcced2b3b8..0000000000\n--- a/boot/grub2/0042-commands-hexdump-Disable-memory-reading-in-lockdown-.patch\n+++ /dev/null\n@@ -1,42 +0,0 @@\n-From d5028a608b21c6fa6ff02e4d84a96ab28034d170 Mon Sep 17 00:00:00 2001\n-From: B Horn <b@horn.uk>\n-Date: Fri, 19 Apr 2024 22:31:45 +0100\n-Subject: [PATCH] commands/hexdump: Disable memory reading in lockdown mode\n-\n-Reported-by: B Horn <b@horn.uk>\n-Signed-off-by: B Horn <b@horn.uk>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 5f31164aed51f498957cdd6ed733ec71a8592c99\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/commands/hexdump.c | 7 ++++++-\n- 1 file changed, 6 insertions(+), 1 deletion(-)\n-\n-diff --git a/grub-core/commands/hexdump.c b/grub-core/commands/hexdump.c\n-index eaa12465b..d6f61d98a 100644\n---- a/grub-core/commands/hexdump.c\n-+++ b/grub-core/commands/hexdump.c\n-@@ -24,6 +24,7 @@\n- #include <grub/lib/hexdump.h>\n- #include <grub/extcmd.h>\n- #include <grub/i18n.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -51,7 +52,11 @@ grub_cmd_hexdump (grub_extcmd_context_t ctxt, int argc, char **args)\n- length = (state[1].set) ? grub_strtoul (state[1].arg, 0, 0) : 256;\n- \n- if (!grub_strcmp (args[0], \"(mem)\"))\n-- hexdump (skip, (char *) (grub_addr_t) skip, length);\n-+ {\n-+ if (grub_is_lockdown() == GRUB_LOCKDOWN_ENABLED)\n-+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_(\"memory reading is disabled in lockdown mode\"));\n-+ hexdump (skip, (char *) (grub_addr_t) skip, length);\n-+ }\n- else if ((args[0][0] == '(') && (args[0][namelen - 1] == ')'))\n- {\n- grub_disk_t disk;\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0043-fs-bfs-Disable-under-lockdown.patch b/boot/grub2/0043-fs-bfs-Disable-under-lockdown.patch\ndeleted file mode 100644\nindex 7598254496..0000000000\n--- a/boot/grub2/0043-fs-bfs-Disable-under-lockdown.patch\n+++ /dev/null\n@@ -1,57 +0,0 @@\n-From 71487b0cf0f7c3fa45f450ed1f3ea4cedd8002a1 Mon Sep 17 00:00:00 2001\n-From: Daniel Axtens <dja@axtens.net>\n-Date: Sat, 23 Mar 2024 15:59:43 +1100\n-Subject: [PATCH] fs/bfs: Disable under lockdown\n-\n-The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.\n-This will also disable the AFS.\n-\n-CVE: CVE-2024-45778\n-CVE: CVE-2024-45779\n-\n-Reported-by: Nils Langius <nils@langius.de>\n-Signed-off-by: Daniel Axtens <dja@axtens.net>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 26db6605036bd9e5b16d9068a8cc75be63b8b630\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/bfs.c | 11 ++++++++---\n- 1 file changed, 8 insertions(+), 3 deletions(-)\n-\n-diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c\n-index f37b16895..c92fd7916 100644\n---- a/grub-core/fs/bfs.c\n-+++ b/grub-core/fs/bfs.c\n-@@ -30,6 +30,7 @@\n- #include <grub/types.h>\n- #include <grub/i18n.h>\n- #include <grub/fshelp.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -1106,8 +1107,11 @@ GRUB_MOD_INIT (bfs)\n- {\n- COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==\n- \t\t sizeof (struct grub_bfs_extent));\n-- grub_bfs_fs.mod = mod;\n-- grub_fs_register (&grub_bfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_bfs_fs.mod = mod;\n-+ grub_fs_register (&grub_bfs_fs);\n-+ }\n- }\n- \n- #ifdef MODE_AFS\n-@@ -1116,5 +1120,6 @@ GRUB_MOD_FINI (afs)\n- GRUB_MOD_FINI (bfs)\n- #endif\n- {\n-- grub_fs_unregister (&grub_bfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_bfs_fs);\n- }\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0044-fs-Disable-many-filesystems-under-lockdown.patch b/boot/grub2/0044-fs-Disable-many-filesystems-under-lockdown.patch\ndeleted file mode 100644\nindex 778903533d..0000000000\n--- a/boot/grub2/0044-fs-Disable-many-filesystems-under-lockdown.patch\n+++ /dev/null\n@@ -1,396 +0,0 @@\n-From f0846530aef66583064a6707430437912dda5fa9 Mon Sep 17 00:00:00 2001\n-From: Daniel Axtens <dja@axtens.net>\n-Date: Sat, 23 Mar 2024 16:20:45 +1100\n-Subject: [PATCH] fs: Disable many filesystems under lockdown\n-\n-The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat,\n-hfsplus, iso9660, squash4, tar, xfs and zfs.\n-\n-The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were\n-reported by Jonathan Bar Or <jonathanbaror@gmail.com>.\n-\n-CVE: CVE-2025-0677\n-CVE: CVE-2025-0684\n-CVE: CVE-2025-0685\n-CVE: CVE-2025-0686\n-CVE: CVE-2025-0689\n-\n-Suggested-by: Daniel Axtens <dja@axtens.net>\n-Signed-off-by: Daniel Axtens <dja@axtens.net>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: c4bc55da28543d2522a939ba4ee0acde45f2fa74\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/affs.c | 11 ++++++++---\n- grub-core/fs/cbfs.c | 11 ++++++++---\n- grub-core/fs/jfs.c | 11 ++++++++---\n- grub-core/fs/minix.c | 11 ++++++++---\n- grub-core/fs/nilfs2.c | 11 ++++++++---\n- grub-core/fs/ntfs.c | 11 ++++++++---\n- grub-core/fs/reiserfs.c | 11 ++++++++---\n- grub-core/fs/romfs.c | 11 ++++++++---\n- grub-core/fs/sfs.c | 11 ++++++++---\n- grub-core/fs/udf.c | 11 ++++++++---\n- grub-core/fs/ufs.c | 11 ++++++++---\n- 11 files changed, 88 insertions(+), 33 deletions(-)\n-\n-diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c\n-index 9b0afb954..520a001c7 100644\n---- a/grub-core/fs/affs.c\n-+++ b/grub-core/fs/affs.c\n-@@ -26,6 +26,7 @@\n- #include <grub/types.h>\n- #include <grub/fshelp.h>\n- #include <grub/charset.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -703,12 +704,16 @@ static struct grub_fs grub_affs_fs =\n- \n- GRUB_MOD_INIT(affs)\n- {\n-- grub_affs_fs.mod = mod;\n-- grub_fs_register (&grub_affs_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_affs_fs.mod = mod;\n-+ grub_fs_register (&grub_affs_fs);\n-+ }\n- my_mod = mod;\n- }\n- \n- GRUB_MOD_FINI(affs)\n- {\n-- grub_fs_unregister (&grub_affs_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_affs_fs);\n- }\n-diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c\n-index 2332745fe..b62c8777c 100644\n---- a/grub-core/fs/cbfs.c\n-+++ b/grub-core/fs/cbfs.c\n-@@ -26,6 +26,7 @@\n- #include <grub/dl.h>\n- #include <grub/i18n.h>\n- #include <grub/cbfs_core.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -390,13 +391,17 @@ GRUB_MOD_INIT (cbfs)\n- #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)\n- init_cbfsdisk ();\n- #endif\n-- grub_cbfs_fs.mod = mod;\n-- grub_fs_register (&grub_cbfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_cbfs_fs.mod = mod;\n-+ grub_fs_register (&grub_cbfs_fs);\n-+ }\n- }\n- \n- GRUB_MOD_FINI (cbfs)\n- {\n-- grub_fs_unregister (&grub_cbfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_cbfs_fs);\n- #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)\n- fini_cbfsdisk ();\n- #endif\n-diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c\n-index b0283ac00..ab175c7f1 100644\n---- a/grub-core/fs/jfs.c\n-+++ b/grub-core/fs/jfs.c\n-@@ -26,6 +26,7 @@\n- #include <grub/types.h>\n- #include <grub/charset.h>\n- #include <grub/i18n.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -1005,12 +1006,16 @@ static struct grub_fs grub_jfs_fs =\n- \n- GRUB_MOD_INIT(jfs)\n- {\n-- grub_jfs_fs.mod = mod;\n-- grub_fs_register (&grub_jfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_jfs_fs.mod = mod;\n-+ grub_fs_register (&grub_jfs_fs);\n-+ }\n- my_mod = mod;\n- }\n- \n- GRUB_MOD_FINI(jfs)\n- {\n-- grub_fs_unregister (&grub_jfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_jfs_fs);\n- }\n-diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c\n-index b7679c3e2..4440fcca8 100644\n---- a/grub-core/fs/minix.c\n-+++ b/grub-core/fs/minix.c\n-@@ -25,6 +25,7 @@\n- #include <grub/dl.h>\n- #include <grub/types.h>\n- #include <grub/i18n.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -734,8 +735,11 @@ GRUB_MOD_INIT(minix)\n- #endif\n- #endif\n- {\n-- grub_minix_fs.mod = mod;\n-- grub_fs_register (&grub_minix_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_minix_fs.mod = mod;\n-+ grub_fs_register (&grub_minix_fs);\n-+ }\n- my_mod = mod;\n- }\n- \n-@@ -757,5 +761,6 @@ GRUB_MOD_FINI(minix)\n- #endif\n- #endif\n- {\n-- grub_fs_unregister (&grub_minix_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_minix_fs);\n- }\n-diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c\n-index 4e1e71738..26e6077ff 100644\n---- a/grub-core/fs/nilfs2.c\n-+++ b/grub-core/fs/nilfs2.c\n-@@ -34,6 +34,7 @@\n- #include <grub/dl.h>\n- #include <grub/types.h>\n- #include <grub/fshelp.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -1231,12 +1232,16 @@ GRUB_MOD_INIT (nilfs2)\n- \t\t\t\t grub_nilfs2_dat_entry));\n- COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE\n- \t\t == sizeof (struct grub_nilfs2_inode));\n-- grub_nilfs2_fs.mod = mod;\n-- grub_fs_register (&grub_nilfs2_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_nilfs2_fs.mod = mod;\n-+ grub_fs_register (&grub_nilfs2_fs);\n-+ }\n- my_mod = mod;\n- }\n- \n- GRUB_MOD_FINI (nilfs2)\n- {\n-- grub_fs_unregister (&grub_nilfs2_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_nilfs2_fs);\n- }\n-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c\n-index 560917dc2..bce81947c 100644\n---- a/grub-core/fs/ntfs.c\n-+++ b/grub-core/fs/ntfs.c\n-@@ -27,6 +27,7 @@\n- #include <grub/fshelp.h>\n- #include <grub/ntfs.h>\n- #include <grub/charset.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -1320,12 +1321,16 @@ static struct grub_fs grub_ntfs_fs =\n- \n- GRUB_MOD_INIT (ntfs)\n- {\n-- grub_ntfs_fs.mod = mod;\n-- grub_fs_register (&grub_ntfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_ntfs_fs.mod = mod;\n-+ grub_fs_register (&grub_ntfs_fs);\n-+ }\n- my_mod = mod;\n- }\n- \n- GRUB_MOD_FINI (ntfs)\n- {\n-- grub_fs_unregister (&grub_ntfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_ntfs_fs);\n- }\n-diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c\n-index c3850e013..5d3c85950 100644\n---- a/grub-core/fs/reiserfs.c\n-+++ b/grub-core/fs/reiserfs.c\n-@@ -39,6 +39,7 @@\n- #include <grub/types.h>\n- #include <grub/fshelp.h>\n- #include <grub/i18n.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -1417,12 +1418,16 @@ static struct grub_fs grub_reiserfs_fs =\n- \n- GRUB_MOD_INIT(reiserfs)\n- {\n-- grub_reiserfs_fs.mod = mod;\n-- grub_fs_register (&grub_reiserfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_reiserfs_fs.mod = mod;\n-+ grub_fs_register (&grub_reiserfs_fs);\n-+ }\n- my_mod = mod;\n- }\n- \n- GRUB_MOD_FINI(reiserfs)\n- {\n-- grub_fs_unregister (&grub_reiserfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_reiserfs_fs);\n- }\n-diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c\n-index 56b0b2b2f..eafab03b2 100644\n---- a/grub-core/fs/romfs.c\n-+++ b/grub-core/fs/romfs.c\n-@@ -23,6 +23,7 @@\n- #include <grub/disk.h>\n- #include <grub/fs.h>\n- #include <grub/fshelp.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -475,11 +476,15 @@ static struct grub_fs grub_romfs_fs =\n- \n- GRUB_MOD_INIT(romfs)\n- {\n-- grub_romfs_fs.mod = mod;\n-- grub_fs_register (&grub_romfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_romfs_fs.mod = mod;\n-+ grub_fs_register (&grub_romfs_fs);\n-+ }\n- }\n- \n- GRUB_MOD_FINI(romfs)\n- {\n-- grub_fs_unregister (&grub_romfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_romfs_fs);\n- }\n-diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c\n-index f0d7cac43..88705b3a2 100644\n---- a/grub-core/fs/sfs.c\n-+++ b/grub-core/fs/sfs.c\n-@@ -26,6 +26,7 @@\n- #include <grub/types.h>\n- #include <grub/fshelp.h>\n- #include <grub/charset.h>\n-+#include <grub/lockdown.h>\n- #include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n-@@ -779,12 +780,16 @@ static struct grub_fs grub_sfs_fs =\n- \n- GRUB_MOD_INIT(sfs)\n- {\n-- grub_sfs_fs.mod = mod;\n-- grub_fs_register (&grub_sfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_sfs_fs.mod = mod;\n-+ grub_fs_register (&grub_sfs_fs);\n-+ }\n- my_mod = mod;\n- }\n- \n- GRUB_MOD_FINI(sfs)\n- {\n-- grub_fs_unregister (&grub_sfs_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_sfs_fs);\n- }\n-diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c\n-index 8765c633c..3d5ee5af5 100644\n---- a/grub-core/fs/udf.c\n-+++ b/grub-core/fs/udf.c\n-@@ -27,6 +27,7 @@\n- #include <grub/fshelp.h>\n- #include <grub/charset.h>\n- #include <grub/datetime.h>\n-+#include <grub/lockdown.h>\n- #include <grub/udf.h>\n- #include <grub/safemath.h>\n- \n-@@ -1455,12 +1456,16 @@ static struct grub_fs grub_udf_fs = {\n- \n- GRUB_MOD_INIT (udf)\n- {\n-- grub_udf_fs.mod = mod;\n-- grub_fs_register (&grub_udf_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_udf_fs.mod = mod;\n-+ grub_fs_register (&grub_udf_fs);\n-+ }\n- my_mod = mod;\n- }\n- \n- GRUB_MOD_FINI (udf)\n- {\n-- grub_fs_unregister (&grub_udf_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_udf_fs);\n- }\n-diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c\n-index e82d9356d..8b5adbd48 100644\n---- a/grub-core/fs/ufs.c\n-+++ b/grub-core/fs/ufs.c\n-@@ -25,6 +25,7 @@\n- #include <grub/dl.h>\n- #include <grub/types.h>\n- #include <grub/i18n.h>\n-+#include <grub/lockdown.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -899,8 +900,11 @@ GRUB_MOD_INIT(ufs1)\n- #endif\n- #endif\n- {\n-- grub_ufs_fs.mod = mod;\n-- grub_fs_register (&grub_ufs_fs);\n-+ if (!grub_is_lockdown ())\n-+ {\n-+ grub_ufs_fs.mod = mod;\n-+ grub_fs_register (&grub_ufs_fs);\n-+ }\n- my_mod = mod;\n- }\n- \n-@@ -914,6 +918,7 @@ GRUB_MOD_FINI(ufs1)\n- #endif\n- #endif\n- {\n-- grub_fs_unregister (&grub_ufs_fs);\n-+ if (!grub_is_lockdown ())\n-+ grub_fs_unregister (&grub_ufs_fs);\n- }\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0045-disk-Use-safe-math-macros-to-prevent-overflows.patch b/boot/grub2/0045-disk-Use-safe-math-macros-to-prevent-overflows.patch\ndeleted file mode 100644\nindex 3ddd168ad5..0000000000\n--- a/boot/grub2/0045-disk-Use-safe-math-macros-to-prevent-overflows.patch\n+++ /dev/null\n@@ -1,551 +0,0 @@\n-From b6bdea00ea1a3d6b0b7551133279cbc7ff23bdf6 Mon Sep 17 00:00:00 2001\n-From: Alec Brown <alec.r.brown@oracle.com>\n-Date: Wed, 22 Jan 2025 02:55:09 +0000\n-Subject: [PATCH] disk: Use safe math macros to prevent overflows\n-\n-Replace direct arithmetic operations with macros from include/grub/safemath.h\n-to prevent potential overflow issues when calculating the memory sizes.\n-\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-\n-Conflicts:\n-\tgrub-core/disk/cryptodisk.c\n-\n-Upstream: c407724dad6c3e2fc1571e57adbda71cc03f82aa\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/disk/cryptodisk.c | 36 ++++++++++++++-----\n- grub-core/disk/diskfilter.c | 9 +++--\n- grub-core/disk/ieee1275/obdisk.c | 43 +++++++++++++++++++----\n- grub-core/disk/ieee1275/ofdisk.c | 59 +++++++++++++++++++++++++++-----\n- grub-core/disk/ldm.c | 36 ++++++++++++++++---\n- grub-core/disk/luks2.c | 7 +++-\n- grub-core/disk/memdisk.c | 7 +++-\n- grub-core/disk/plainmount.c | 9 +++--\n- 8 files changed, 172 insertions(+), 34 deletions(-)\n-\n-diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c\n-index 2246af51b..6f7445665 100644\n---- a/grub-core/disk/cryptodisk.c\n-+++ b/grub-core/disk/cryptodisk.c\n-@@ -26,6 +26,7 @@\n- #include <grub/file.h>\n- #include <grub/procfs.h>\n- #include <grub/partition.h>\n-+#include <grub/safemath.h>\n- \n- #ifdef GRUB_UTIL\n- #include <grub/emu/hostdisk.h>\n-@@ -1473,7 +1474,7 @@ static char *\n- luks_script_get (grub_size_t *sz)\n- {\n- grub_cryptodisk_t i;\n-- grub_size_t size = 0;\n-+ grub_size_t size = 0, mul;\n- char *ptr, *ret;\n- \n- *sz = 0;\n-@@ -1482,10 +1483,6 @@ luks_script_get (grub_size_t *sz)\n- if (grub_strcmp (i->modname, \"luks\") == 0 ||\n- \tgrub_strcmp (i->modname, \"luks2\") == 0)\n- {\n--\tsize += grub_strlen (i->modname);\n--\tsize += sizeof (\"_mount\");\n--\tsize += grub_strlen (i->uuid);\n--\tsize += grub_strlen (i->cipher->cipher->name);\n- \t/*\n- \t * Add space in the line for (in order) spaces, cipher mode, cipher IV\n- \t * mode, sector offset, sector size and the trailing newline. This is\n-@@ -1493,14 +1490,35 @@ luks_script_get (grub_size_t *sz)\n- \t * in an earlier version of this code that are unaccounted for. It is\n- \t * left in the calculations in case it is needed. At worst, its short-\n- \t * lived wasted space.\n-+\t *\n-+\t * 60 = 5 + 5 + 8 + 20 + 6 + 1 + 15\n- \t */\n--\tsize += 5 + 5 + 8 + 20 + 6 + 1 + 15;\n-+\tif (grub_add (size, grub_strlen (i->modname), &size) ||\n-+\t grub_add (size, sizeof (\"_mount\") + 60, &size) ||\n-+\t grub_add (size, grub_strlen (i->uuid), &size) ||\n-+\t grub_add (size, grub_strlen (i->cipher->cipher->name), &size) ||\n-+\t grub_mul (i->keysize, 2, &mul) ||\n-+\t grub_add (size, mul, &size))\n-+\t {\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, \"overflow detected while obtaining size of luks script\");\n-+\t return 0;\n-+\t }\n- \tif (i->essiv_hash)\n--\t size += grub_strlen (i->essiv_hash->name);\n--\tsize += i->keysize * 2;\n-+\t {\n-+\t if (grub_add (size, grub_strlen (i->essiv_hash->name), &size))\n-+\t {\n-+\t\tgrub_error (GRUB_ERR_OUT_OF_RANGE, \"overflow detected while obtaining size of luks script\");\n-+\t\treturn 0;\n-+\t }\n-+\t }\n- }\n-+ if (grub_add (size, 1, &size))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, \"overflow detected while obtaining size of luks script\");\n-+ return 0;\n-+ }\n- \n-- ret = grub_malloc (size + 1);\n-+ ret = grub_malloc (size);\n- if (!ret)\n- return 0;\n- \n-diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c\n-index 21e239511..de5a564d4 100644\n---- a/grub-core/disk/diskfilter.c\n-+++ b/grub-core/disk/diskfilter.c\n-@@ -24,6 +24,7 @@\n- #include <grub/misc.h>\n- #include <grub/diskfilter.h>\n- #include <grub/partition.h>\n-+#include <grub/safemath.h>\n- #ifdef GRUB_UTIL\n- #include <grub/i18n.h>\n- #include <grub/util/misc.h>\n-@@ -1039,7 +1040,7 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,\n- {\n- struct grub_diskfilter_vg *array;\n- int i;\n-- grub_size_t j;\n-+ grub_size_t j, sz;\n- grub_uint64_t totsize;\n- struct grub_diskfilter_pv *pv;\n- grub_err_t err;\n-@@ -1140,7 +1141,11 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,\n- }\n- array->lvs->vg = array;\n- \n-- array->lvs->idname = grub_malloc (sizeof (\"mduuid/\") + 2 * uuidlen);\n-+ if (grub_mul (uuidlen, 2, &sz) ||\n-+ grub_add (sz, sizeof (\"mduuid/\"), &sz))\n-+ goto fail;\n-+\n-+ array->lvs->idname = grub_malloc (sz);\n- if (!array->lvs->idname)\n- goto fail;\n- \n-diff --git a/grub-core/disk/ieee1275/obdisk.c b/grub-core/disk/ieee1275/obdisk.c\n-index cd923b90f..9d4c42665 100644\n---- a/grub-core/disk/ieee1275/obdisk.c\n-+++ b/grub-core/disk/ieee1275/obdisk.c\n-@@ -26,6 +26,7 @@\n- #include <grub/mm.h>\n- #include <grub/scsicmd.h>\n- #include <grub/time.h>\n-+#include <grub/safemath.h>\n- #include <grub/ieee1275/ieee1275.h>\n- #include <grub/ieee1275/obdisk.h>\n- \n-@@ -128,9 +129,17 @@ count_commas (const char *src)\n- static char *\n- decode_grub_devname (const char *name)\n- {\n-- char *devpath = grub_malloc (grub_strlen (name) + 1);\n-+ char *devpath;\n- char *p, c;\n-+ grub_size_t sz;\n- \n-+ if (grub_add (grub_strlen (name), 1, &sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while obtaining size of device name\"));\n-+ return NULL;\n-+ }\n-+\n-+ devpath = grub_malloc (sz);\n- if (devpath == NULL)\n- return NULL;\n- \n-@@ -156,12 +165,20 @@ static char *\n- encode_grub_devname (const char *path)\n- {\n- char *encoding, *optr;\n-+ grub_size_t sz;\n- \n- if (path == NULL)\n- return NULL;\n- \n-- encoding = grub_malloc (sizeof (IEEE1275_DEV) + count_commas (path) +\n-- grub_strlen (path) + 1);\n-+ if (grub_add (sizeof (IEEE1275_DEV) + 1, count_commas (path), &sz) ||\n-+ grub_add (sz, grub_strlen (path), &sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while obtaining encoding size\"));\n-+ grub_print_error ();\n-+ return NULL;\n-+ }\n-+\n-+ encoding = grub_malloc (sz);\n- \n- if (encoding == NULL)\n- {\n-@@ -396,6 +413,14 @@ canonicalise_disk (const char *devname)\n- \n- real_unit_str_len = grub_strlen (op->name) + sizeof (IEEE1275_DISK_ALIAS)\n- + grub_strlen (real_unit_address);\n-+ if (grub_add (grub_strlen (op->name), sizeof (IEEE1275_DISK_ALIAS), &real_unit_str_len) ||\n-+\t grub_add (real_unit_str_len, grub_strlen (real_unit_address), &real_unit_str_len))\n-+\t{\n-+\t grub_free (parent);\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while obtaining size of canonical name\"));\n-+\t grub_print_error ();\n-+\t return NULL;\n-+\t}\n- \n- real_canon = grub_malloc (real_unit_str_len);\n- \n-@@ -413,6 +438,7 @@ canonicalise_disk (const char *devname)\n- static struct disk_dev *\n- add_canon_disk (const char *cname)\n- {\n-+ grub_size_t sz;\n- struct disk_dev *dev;\n- \n- dev = grub_zalloc (sizeof (struct disk_dev));\n-@@ -428,13 +454,18 @@ add_canon_disk (const char *cname)\n- * arguments and allows a client program to open\n- * the entire (raw) disk. Any disk label is ignored.\n- */\n-- dev->raw_name = grub_malloc (grub_strlen (cname) + sizeof (\":nolabel\"));\n-+ if (grub_add (grub_strlen (cname), sizeof (\":nolabel\"), &sz))\n-+\t{\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, \"overflow detected while appending :nolabel to end of canonical name\");\n-+\t goto failed;\n-+\t}\n-+\n-+ dev->raw_name = grub_malloc (sz);\n- \n- if (dev->raw_name == NULL)\n- goto failed;\n- \n-- grub_snprintf (dev->raw_name, grub_strlen (cname) + sizeof (\":nolabel\"),\n-- \"%s:nolabel\", cname);\n-+ grub_snprintf (dev->raw_name, sz, \"%s:nolabel\", cname);\n- }\n- \n- /*\n-diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c\n-index c6cba0c8a..4c5b89cbc 100644\n---- a/grub-core/disk/ieee1275/ofdisk.c\n-+++ b/grub-core/disk/ieee1275/ofdisk.c\n-@@ -24,6 +24,7 @@\n- #include <grub/ieee1275/ofdisk.h>\n- #include <grub/i18n.h>\n- #include <grub/time.h>\n-+#include <grub/safemath.h>\n- \n- static char *last_devpath;\n- static grub_ieee1275_ihandle_t last_ihandle;\n-@@ -80,6 +81,7 @@ ofdisk_hash_add_real (char *devpath)\n- struct ofdisk_hash_ent **head = &ofdisk_hash[ofdisk_hash_fn(devpath)];\n- const char *iptr;\n- char *optr;\n-+ grub_size_t sz;\n- \n- p = grub_zalloc (sizeof (*p));\n- if (!p)\n-@@ -87,8 +89,14 @@ ofdisk_hash_add_real (char *devpath)\n- \n- p->devpath = devpath;\n- \n-- p->grub_devpath = grub_malloc (sizeof (\"ieee1275/\")\n--\t\t\t\t + 2 * grub_strlen (p->devpath));\n-+ if (grub_mul (grub_strlen (p->devpath), 2, &sz) ||\n-+ grub_add (sz, sizeof (\"ieee1275/\"), &sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while obtaining size of device path\"));\n-+ return NULL;\n-+ }\n-+\n-+ p->grub_devpath = grub_malloc (sz);\n- \n- if (!p->grub_devpath)\n- {\n-@@ -98,7 +106,13 @@ ofdisk_hash_add_real (char *devpath)\n- \n- if (! grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_NO_PARTITION_0))\n- {\n-- p->open_path = grub_malloc (grub_strlen (p->devpath) + 3);\n-+ if (grub_add (grub_strlen (p->devpath), 3, &sz))\n-+\t{\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while obtaining size of an open path\"));\n-+\t return NULL;\n-+\t}\n-+\n-+ p->open_path = grub_malloc (sz);\n- if (!p->open_path)\n- \t{\n- \t grub_free (p->grub_devpath);\n-@@ -224,6 +238,7 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)\n- args;\n- char *buf, *bufptr;\n- unsigned i;\n-+ grub_size_t sz;\n- \n- if (grub_ieee1275_open (alias->path, &ihandle))\n- \treturn;\n-@@ -243,7 +258,14 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)\n- \t return;\n- \t}\n- \n-- buf = grub_malloc (grub_strlen (alias->path) + 32);\n-+ if (grub_add (grub_strlen (alias->path), 32, &sz))\n-+\t{\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, \"overflow detected while creating buffer for vscsi\");\n-+\t grub_ieee1275_close (ihandle);\n-+\t return;\n-+\t}\n-+\n-+ buf = grub_malloc (sz);\n- if (!buf)\n- \treturn;\n- bufptr = grub_stpcpy (buf, alias->path);\n-@@ -287,9 +309,15 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)\n- grub_uint64_t *table;\n- grub_uint16_t table_size;\n- grub_ieee1275_ihandle_t ihandle;\n-+ grub_size_t sz;\n- \n-- buf = grub_malloc (grub_strlen (alias->path) +\n-- sizeof (\"/disk@7766554433221100\"));\n-+ if (grub_add (grub_strlen (alias->path), sizeof (\"/disk@7766554433221100\"), &sz))\n-+\t{\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, \"overflow detected while creating buffer for sas_ioa\");\n-+\t return;\n-+\t}\n-+\n-+ buf = grub_malloc (sz);\n- if (!buf)\n- return;\n- bufptr = grub_stpcpy (buf, alias->path);\n-@@ -427,9 +455,17 @@ grub_ofdisk_iterate (grub_disk_dev_iterate_hook_t hook, void *hook_data,\n- static char *\n- compute_dev_path (const char *name)\n- {\n-- char *devpath = grub_malloc (grub_strlen (name) + 3);\n-+ char *devpath;\n- char *p, c;\n-+ grub_size_t sz;\n- \n-+ if (grub_add (grub_strlen (name), 3, &sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while obtaining size of device path\"));\n-+ return NULL;\n-+ }\n-+\n-+ devpath = grub_malloc (sz);\n- if (!devpath)\n- return NULL;\n- \n-@@ -625,6 +661,7 @@ insert_bootpath (void)\n- char *bootpath;\n- grub_ssize_t bootpath_size;\n- char *type;\n-+ grub_size_t sz;\n- \n- if (grub_ieee1275_get_property_length (grub_ieee1275_chosen, \"bootpath\",\n- \t\t\t\t\t &bootpath_size)\n-@@ -635,7 +672,13 @@ insert_bootpath (void)\n- return;\n- }\n- \n-- bootpath = (char *) grub_malloc ((grub_size_t) bootpath_size + 64);\n-+ if (grub_add (bootpath_size, 64, &sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while obtaining bootpath size\"));\n-+ return;\n-+ }\n-+\n-+ bootpath = (char *) grub_malloc (sz);\n- if (! bootpath)\n- {\n- grub_print_error ();\n-diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c\n-index 34bfe6bd1..4101b15d8 100644\n---- a/grub-core/disk/ldm.c\n-+++ b/grub-core/disk/ldm.c\n-@@ -220,6 +220,7 @@ make_vg (grub_disk_t disk,\n- struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE\n- \t\t\t\t/ sizeof (struct grub_ldm_vblk)];\n- unsigned i;\n-+ grub_size_t sz;\n- err = grub_disk_read (disk, cursec, 0,\n- \t\t\t sizeof(vblk), &vblk);\n- if (err)\n-@@ -251,7 +252,13 @@ make_vg (grub_disk_t disk,\n- \t grub_free (pv);\n- \t goto fail2;\n- \t }\n--\t pv->internal_id = grub_malloc (ptr[0] + 2);\n-+\t if (grub_add (ptr[0], 2, &sz))\n-+\t {\n-+\t grub_free (pv);\n-+\t goto fail2;\n-+\t }\n-+\n-+\t pv->internal_id = grub_malloc (sz);\n- \t if (!pv->internal_id)\n- \t {\n- \t grub_free (pv);\n-@@ -276,7 +283,15 @@ make_vg (grub_disk_t disk,\n- \t goto fail2;\n- \t }\n- \t pv->id.uuidlen = *ptr;\n--\t pv->id.uuid = grub_malloc (pv->id.uuidlen + 1);\n-+\n-+\t if (grub_add (pv->id.uuidlen, 1, &sz))\n-+\t {\n-+\t grub_free (pv->internal_id);\n-+\t grub_free (pv);\n-+\t goto fail2;\n-+\t }\n-+\n-+\t pv->id.uuid = grub_malloc (sz);\n- \t grub_memcpy (pv->id.uuid, ptr + 1, pv->id.uuidlen);\n- \t pv->id.uuid[pv->id.uuidlen] = 0;\n- \n-@@ -343,7 +358,13 @@ make_vg (grub_disk_t disk,\n- \t grub_free (lv);\n- \t goto fail2;\n- \t }\n--\t lv->internal_id = grub_malloc ((grub_size_t) ptr[0] + 2);\n-+\t if (grub_add (ptr[0], 2, &sz))\n-+\t {\n-+\t grub_free (lv->segments);\n-+\t grub_free (lv);\n-+\t goto fail2;\n-+\t }\n-+\t lv->internal_id = grub_malloc (sz);\n- \t if (!lv->internal_id)\n- \t {\n- \t grub_free (lv);\n-@@ -455,6 +476,7 @@ make_vg (grub_disk_t disk,\n- struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE\n- \t\t\t\t/ sizeof (struct grub_ldm_vblk)];\n- unsigned i;\n-+ grub_size_t sz;\n- err = grub_disk_read (disk, cursec, 0,\n- \t\t\t sizeof(vblk), &vblk);\n- if (err)\n-@@ -490,7 +512,12 @@ make_vg (grub_disk_t disk,\n- \t grub_free (comp);\n- \t goto fail2;\n- \t }\n--\t comp->internal_id = grub_malloc ((grub_size_t) ptr[0] + 2);\n-+\t if (grub_add (ptr[0], 2, &sz))\n-+\t {\n-+\t grub_free (comp);\n-+\t goto fail2;\n-+\t }\n-+\t comp->internal_id = grub_malloc (sz);\n- \t if (!comp->internal_id)\n- \t {\n- \t grub_free (comp);\n-@@ -640,7 +667,6 @@ make_vg (grub_disk_t disk,\n- \t if (lv->segments->node_alloc == lv->segments->node_count)\n- \t {\n- \t void *t;\n--\t grub_size_t sz;\n- \n- \t if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||\n- \t\t grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))\n-diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c\n-index d5106402f..8036d76ff 100644\n---- a/grub-core/disk/luks2.c\n-+++ b/grub-core/disk/luks2.c\n-@@ -26,6 +26,7 @@\n- #include <grub/crypto.h>\n- #include <grub/partition.h>\n- #include <grub/i18n.h>\n-+#include <grub/safemath.h>\n- \n- #include <base64.h>\n- #include <json.h>\n-@@ -569,6 +570,7 @@ luks2_recover_key (grub_disk_t source,\n- gcry_err_code_t gcry_ret;\n- grub_json_t *json = NULL, keyslots;\n- grub_err_t ret;\n-+ grub_size_t sz;\n- \n- if (cargs->key_data == NULL || cargs->key_len == 0)\n- return grub_error (GRUB_ERR_BAD_ARGUMENT, \"no key data\");\n-@@ -577,7 +579,10 @@ luks2_recover_key (grub_disk_t source,\n- if (ret)\n- return ret;\n- \n-- json_header = grub_zalloc (grub_be_to_cpu64 (header.hdr_size) - sizeof (header));\n-+ if (grub_sub (grub_be_to_cpu64 (header.hdr_size), sizeof (header), &sz))\n-+ return grub_error (GRUB_ERR_OUT_OF_RANGE, \"underflow detected while calculating json header size\");\n-+\n-+ json_header = grub_zalloc (sz);\n- if (!json_header)\n- return GRUB_ERR_OUT_OF_MEMORY;\n- \n-diff --git a/grub-core/disk/memdisk.c b/grub-core/disk/memdisk.c\n-index 613779cf3..36de3bfab 100644\n---- a/grub-core/disk/memdisk.c\n-+++ b/grub-core/disk/memdisk.c\n-@@ -23,6 +23,7 @@\n- #include <grub/misc.h>\n- #include <grub/mm.h>\n- #include <grub/types.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -96,7 +97,11 @@ GRUB_MOD_INIT(memdisk)\n- \n- \tgrub_dprintf (\"memdisk\", \"Found memdisk image at %p\\n\", memdisk_orig_addr);\n- \n--\tmemdisk_size = header->size - sizeof (struct grub_module_header);\n-+\tif (grub_sub (header->size, sizeof (struct grub_module_header), &memdisk_size))\n-+\t {\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, \"underflow detected while obtaining memdisk size\");\n-+\t return;\n-+\t }\n- \tmemdisk_addr = grub_malloc (memdisk_size);\n- \n- \tgrub_dprintf (\"memdisk\", \"Copying memdisk image to dynamic memory\\n\");\n-diff --git a/grub-core/disk/plainmount.c b/grub-core/disk/plainmount.c\n-index 47e64805f..21ec4072c 100644\n---- a/grub-core/disk/plainmount.c\n-+++ b/grub-core/disk/plainmount.c\n-@@ -24,6 +24,7 @@\n- #include <grub/extcmd.h>\n- #include <grub/partition.h>\n- #include <grub/file.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -126,7 +127,7 @@ plainmount_configure_password (grub_cryptodisk_t dev, const char *hash,\n- grub_uint8_t *derived_hash, *dh;\n- char *p;\n- unsigned int round, i, len, size;\n-- grub_size_t alloc_size;\n-+ grub_size_t alloc_size, sz;\n- grub_err_t err = GRUB_ERR_NONE;\n- \n- /* Support none (plain) hash */\n-@@ -145,7 +146,11 @@ plainmount_configure_password (grub_cryptodisk_t dev, const char *hash,\n- * Allocate buffer for the password and for an added prefix character\n- * for each hash round ('alloc_size' may not be a multiple of 'len').\n- */\n-- p = grub_zalloc (alloc_size + (alloc_size / len) + 1);\n-+ if (grub_add (alloc_size, (alloc_size / len), &sz) ||\n-+ grub_add (sz, 1, &sz))\n-+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while allocating size of password buffer\"));\n-+\n-+ p = grub_zalloc (sz);\n- derived_hash = grub_zalloc (GRUB_CRYPTODISK_MAX_KEYLEN * 2);\n- if (p == NULL || derived_hash == NULL)\n- {\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0046-disk-Prevent-overflows-when-allocating-memory-for-ar.patch b/boot/grub2/0046-disk-Prevent-overflows-when-allocating-memory-for-ar.patch\ndeleted file mode 100644\nindex 1c1cb0ee3a..0000000000\n--- a/boot/grub2/0046-disk-Prevent-overflows-when-allocating-memory-for-ar.patch\n+++ /dev/null\n@@ -1,47 +0,0 @@\n-From d9f900247eb886176aace7888be941348a9c8fc8 Mon Sep 17 00:00:00 2001\n-From: Alec Brown <alec.r.brown@oracle.com>\n-Date: Wed, 22 Jan 2025 02:55:10 +0000\n-Subject: [PATCH] disk: Prevent overflows when allocating memory for arrays\n-\n-Use grub_calloc() when allocating memory for arrays to ensure proper\n-overflow checks are in place.\n-\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-\n-Conflicts:\n-\tgrub-core/disk/cryptodisk.c\n-\n-Upstream: d8151f98331ee4d15fcca59edffa59246d8fc15f\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/disk/lvm.c | 6 ++----\n- 1 file changed, 2 insertions(+), 4 deletions(-)\n-\n-diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c\n-index 794248540..a395b200d 100644\n---- a/grub-core/disk/lvm.c\n-+++ b/grub-core/disk/lvm.c\n-@@ -671,8 +671,7 @@ grub_lvm_detect (grub_disk_t disk,\n- \t\t\t goto lvs_segment_fail;\n- \t\t\t}\n- \n--\t\t seg->nodes = grub_zalloc (sizeof (seg->nodes[0])\n--\t\t\t\t\t\t* seg->node_count);\n-+\t\t seg->nodes = grub_calloc (seg->node_count, sizeof (seg->nodes[0]));\n- \n- \t\t p = grub_strstr (p, \"mirrors = [\");\n- \t\t if (p == NULL)\n-@@ -760,8 +759,7 @@ grub_lvm_detect (grub_disk_t disk,\n- \t\t\t }\n- \t\t\t}\n- \n--\t\t seg->nodes = grub_zalloc (sizeof (seg->nodes[0])\n--\t\t\t\t\t\t* seg->node_count);\n-+\t\t seg->nodes = grub_calloc (seg->node_count, sizeof (seg->nodes[0]));\n- \n- \t\t p = grub_strstr (p, \"raids = [\");\n- \t\t if (p == NULL)\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0047-disk-Check-if-returned-pointer-for-allocated-memory-.patch b/boot/grub2/0047-disk-Check-if-returned-pointer-for-allocated-memory-.patch\ndeleted file mode 100644\nindex f00d37d977..0000000000\n--- a/boot/grub2/0047-disk-Check-if-returned-pointer-for-allocated-memory-.patch\n+++ /dev/null\n@@ -1,157 +0,0 @@\n-From 04621aac0412b99323fda050074d4e77c00bc8e8 Mon Sep 17 00:00:00 2001\n-From: Alec Brown <alec.r.brown@oracle.com>\n-Date: Wed, 22 Jan 2025 02:55:11 +0000\n-Subject: [PATCH] disk: Check if returned pointer for allocated memory is NULL\n-\n-When using grub_malloc(), grub_zalloc() or grub_calloc(), these functions can\n-fail if we are out of memory. After allocating memory we should check if these\n-functions returned NULL and handle this error if they did.\n-\n-On the occasion make a NULL check in ATA code more obvious.\n-\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 33bd6b5ac5c77b346769ab5284262f94e695e464\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/disk/ata.c | 4 ++--\n- grub-core/disk/ieee1275/obdisk.c | 6 ++++++\n- grub-core/disk/ldm.c | 6 ++++++\n- grub-core/disk/lvm.c | 14 ++++++++++++++\n- grub-core/disk/memdisk.c | 2 ++\n- 5 files changed, 30 insertions(+), 2 deletions(-)\n-\n-diff --git a/grub-core/disk/ata.c b/grub-core/disk/ata.c\n-index 7b6ac7bfc..a2433e29e 100644\n---- a/grub-core/disk/ata.c\n-+++ b/grub-core/disk/ata.c\n-@@ -112,10 +112,10 @@ grub_ata_identify (struct grub_ata *dev)\n- return grub_atapi_identify (dev);\n- \n- info64 = grub_malloc (GRUB_DISK_SECTOR_SIZE);\n-+ if (info64 == NULL)\n-+ return grub_errno;\n- info32 = (grub_uint32_t *) info64;\n- info16 = (grub_uint16_t *) info64;\n-- if (! info16)\n-- return grub_errno;\n- \n- grub_memset (&parms, 0, sizeof (parms));\n- parms.buffer = info16;\n-diff --git a/grub-core/disk/ieee1275/obdisk.c b/grub-core/disk/ieee1275/obdisk.c\n-index 9d4c42665..fcc39e0a2 100644\n---- a/grub-core/disk/ieee1275/obdisk.c\n-+++ b/grub-core/disk/ieee1275/obdisk.c\n-@@ -423,6 +423,12 @@ canonicalise_disk (const char *devname)\n- \t}\n- \n- real_canon = grub_malloc (real_unit_str_len);\n-+ if (real_canon == NULL)\n-+\t{\n-+\t grub_free (parent);\n-+\t grub_print_error ();\n-+\t return NULL;\n-+\t}\n- \n- grub_snprintf (real_canon, real_unit_str_len, \"%s/disk@%s\",\n- op->name, real_unit_address);\n-diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c\n-index 4101b15d8..048e29cd0 100644\n---- a/grub-core/disk/ldm.c\n-+++ b/grub-core/disk/ldm.c\n-@@ -292,6 +292,12 @@ make_vg (grub_disk_t disk,\n- \t }\n- \n- \t pv->id.uuid = grub_malloc (sz);\n-+\t if (pv->id.uuid == NULL)\n-+\t {\n-+\t grub_free (pv->internal_id);\n-+\t grub_free (pv);\n-+\t goto fail2;\n-+\t }\n- \t grub_memcpy (pv->id.uuid, ptr + 1, pv->id.uuidlen);\n- \t pv->id.uuid[pv->id.uuidlen] = 0;\n- \n-diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c\n-index a395b200d..b2dff76d1 100644\n---- a/grub-core/disk/lvm.c\n-+++ b/grub-core/disk/lvm.c\n-@@ -370,6 +370,8 @@ grub_lvm_detect (grub_disk_t disk,\n- \t\tbreak;\n- \n- \t pv = grub_zalloc (sizeof (*pv));\n-+\t if (pv == NULL)\n-+\t\tgoto fail4;\n- \t q = p;\n- \t while (*q != ' ' && q < mda_end)\n- \t\tq++;\n-@@ -379,6 +381,8 @@ grub_lvm_detect (grub_disk_t disk,\n- \n- \t s = q - p;\n- \t pv->name = grub_malloc (s + 1);\n-+\t if (pv->name == NULL)\n-+\t\tgoto pvs_fail_noname;\n- \t grub_memcpy (pv->name, p, s);\n- \t pv->name[s] = '\\0';\n- \n-@@ -451,6 +455,8 @@ grub_lvm_detect (grub_disk_t disk,\n- \t\tbreak;\n- \n- \t lv = grub_zalloc (sizeof (*lv));\n-+\t if (lv == NULL)\n-+\t\tgoto fail4;\n- \n- \t q = p;\n- \t while (*q != ' ' && q < mda_end)\n-@@ -545,6 +551,8 @@ grub_lvm_detect (grub_disk_t disk,\n- \t\t goto lvs_fail;\n- \t\t}\n- \t lv->segments = grub_calloc (lv->segment_count, sizeof (*seg));\n-+\t if (lv->segments == NULL)\n-+\t\tgoto lvs_fail;\n- \t seg = lv->segments;\n- \n- \t for (i = 0; i < lv->segment_count; i++)\n-@@ -612,6 +620,8 @@ grub_lvm_detect (grub_disk_t disk,\n- \n- \t\t seg->nodes = grub_calloc (seg->node_count,\n- \t\t\t\t\t\tsizeof (*stripe));\n-+\t\t if (seg->nodes == NULL)\n-+\t\t\tgoto lvs_segment_fail;\n- \t\t stripe = seg->nodes;\n- \n- \t\t p = grub_strstr (p, \"stripes = [\");\n-@@ -672,6 +682,8 @@ grub_lvm_detect (grub_disk_t disk,\n- \t\t\t}\n- \n- \t\t seg->nodes = grub_calloc (seg->node_count, sizeof (seg->nodes[0]));\n-+\t\t if (seg->nodes == NULL)\n-+\t\t\tgoto lvs_segment_fail;\n- \n- \t\t p = grub_strstr (p, \"mirrors = [\");\n- \t\t if (p == NULL)\n-@@ -760,6 +772,8 @@ grub_lvm_detect (grub_disk_t disk,\n- \t\t\t}\n- \n- \t\t seg->nodes = grub_calloc (seg->node_count, sizeof (seg->nodes[0]));\n-+\t\t if (seg->nodes == NULL)\n-+\t\t\tgoto lvs_segment_fail;\n- \n- \t\t p = grub_strstr (p, \"raids = [\");\n- \t\t if (p == NULL)\n-diff --git a/grub-core/disk/memdisk.c b/grub-core/disk/memdisk.c\n-index 36de3bfab..2d7afaea3 100644\n---- a/grub-core/disk/memdisk.c\n-+++ b/grub-core/disk/memdisk.c\n-@@ -103,6 +103,8 @@ GRUB_MOD_INIT(memdisk)\n- \t return;\n- \t }\n- \tmemdisk_addr = grub_malloc (memdisk_size);\n-+\tif (memdisk_addr == NULL)\n-+\t return;\n- \n- \tgrub_dprintf (\"memdisk\", \"Copying memdisk image to dynamic memory\\n\");\n- \tgrub_memmove (memdisk_addr, memdisk_orig_addr, memdisk_size);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0048-disk-ieee1275-ofdisk-Call-grub_ieee1275_close-when-g.patch b/boot/grub2/0048-disk-ieee1275-ofdisk-Call-grub_ieee1275_close-when-g.patch\ndeleted file mode 100644\nindex fd0ddda674..0000000000\n--- a/boot/grub2/0048-disk-ieee1275-ofdisk-Call-grub_ieee1275_close-when-g.patch\n+++ /dev/null\n@@ -1,36 +0,0 @@\n-From 2dcfad49316cc757138a8c69f6b44ee1a240aa3d Mon Sep 17 00:00:00 2001\n-From: Alec Brown <alec.r.brown@oracle.com>\n-Date: Wed, 22 Jan 2025 02:55:12 +0000\n-Subject: [PATCH] disk/ieee1275/ofdisk: Call grub_ieee1275_close() when\n- grub_malloc() fails\n-\n-In the dev_iterate() function a handle is opened but isn't closed when\n-grub_malloc() returns NULL. We should fix this by closing it on error.\n-\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: fbaddcca541805c333f0fc792b82772594e73753\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/disk/ieee1275/ofdisk.c | 5 ++++-\n- 1 file changed, 4 insertions(+), 1 deletion(-)\n-\n-diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c\n-index 4c5b89cbc..dbc0f1aba 100644\n---- a/grub-core/disk/ieee1275/ofdisk.c\n-+++ b/grub-core/disk/ieee1275/ofdisk.c\n-@@ -267,7 +267,10 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)\n- \n- buf = grub_malloc (sz);\n- if (!buf)\n--\treturn;\n-+\t{\n-+\t grub_ieee1275_close (ihandle);\n-+\t return;\n-+\t}\n- bufptr = grub_stpcpy (buf, alias->path);\n- \n- for (i = 0; i < args.nentries; i++)\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0049-fs-Use-safe-math-macros-to-prevent-overflows.patch b/boot/grub2/0049-fs-Use-safe-math-macros-to-prevent-overflows.patch\ndeleted file mode 100644\nindex 4ad7463a13..0000000000\n--- a/boot/grub2/0049-fs-Use-safe-math-macros-to-prevent-overflows.patch\n+++ /dev/null\n@@ -1,362 +0,0 @@\n-From 005280a4b3ba41ab0b4fea5e1d2a874646e6e12d Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Tue, 21 Jan 2025 19:02:36 +0000\n-Subject: [PATCH] fs: Use safe math macros to prevent overflows\n-\n-Replace direct arithmetic operations with macros from include/grub/safemath.h\n-to prevent potential overflow issues when calculating the memory sizes.\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-\n-Conflicts:\n-\tgrub-core/fs/erofs.c\n-\n-Upstream: 6608163b08a7a8be4b0ab2a5cd4593bba07fe2b7\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/archelp.c | 9 ++++++++-\n- grub-core/fs/btrfs.c | 34 ++++++++++++++++++++++++++++------\n- grub-core/fs/cpio_common.c | 16 ++++++++++++++--\n- grub-core/fs/f2fs.c | 17 +++++++++++++++--\n- grub-core/fs/ntfscomp.c | 9 ++++++++-\n- grub-core/fs/squash4.c | 12 +++++++++---\n- grub-core/fs/xfs.c | 17 +++++++++++++++--\n- 7 files changed, 97 insertions(+), 17 deletions(-)\n-\n-diff --git a/grub-core/fs/archelp.c b/grub-core/fs/archelp.c\n-index c1dcc6285..0816b28de 100644\n---- a/grub-core/fs/archelp.c\n-+++ b/grub-core/fs/archelp.c\n-@@ -21,6 +21,7 @@\n- #include <grub/fs.h>\n- #include <grub/disk.h>\n- #include <grub/dl.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -68,6 +69,7 @@ handle_symlink (struct grub_archelp_data *data,\n- char *rest;\n- char *linktarget;\n- grub_size_t linktarget_len;\n-+ grub_size_t sz;\n- \n- *restart = 0;\n- \n-@@ -98,7 +100,12 @@ handle_symlink (struct grub_archelp_data *data,\n- if (linktarget[0] == '\\0')\n- return GRUB_ERR_NONE;\n- linktarget_len = grub_strlen (linktarget);\n-- target = grub_malloc (linktarget_len + grub_strlen (*name) + 2);\n-+\n-+ if (grub_add (linktarget_len, grub_strlen (*name), &sz) ||\n-+ grub_add (sz, 2, &sz))\n-+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"link target length overflow\"));\n-+\n-+ target = grub_malloc (sz);\n- if (!target)\n- return grub_errno;\n- \n-diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c\n-index aae81482b..0625b1166 100644\n---- a/grub-core/fs/btrfs.c\n-+++ b/grub-core/fs/btrfs.c\n-@@ -1801,6 +1801,7 @@ find_path (struct grub_btrfs_data *data,\n- char *path_alloc = NULL;\n- char *origpath = NULL;\n- unsigned symlinks_max = 32;\n-+ grub_size_t sz;\n- \n- err = get_root (data, key, tree, type);\n- if (err)\n-@@ -1891,9 +1892,15 @@ find_path (struct grub_btrfs_data *data,\n- struct grub_btrfs_dir_item *cdirel;\n- if (elemsize > allocated)\n- \t{\n--\t allocated = 2 * elemsize;\n-+\t if (grub_mul (2, elemsize, &allocated) ||\n-+\t grub_add (allocated, 1, &sz))\n-+\t {\n-+\t grub_free (path_alloc);\n-+\t grub_free (origpath);\n-+\t return grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"directory item size overflow\"));\n-+\t }\n- \t grub_free (direl);\n--\t direl = grub_malloc (allocated + 1);\n-+\t direl = grub_malloc (sz);\n- \t if (!direl)\n- \t {\n- \t grub_free (path_alloc);\n-@@ -1955,8 +1962,16 @@ find_path (struct grub_btrfs_data *data,\n- \t grub_free (origpath);\n- \t return err;\n- \t }\n--\t tmp = grub_malloc (grub_le_to_cpu64 (inode.size)\n--\t\t\t + grub_strlen (path) + 1);\n-+\n-+\t if (grub_add (grub_le_to_cpu64 (inode.size), grub_strlen (path), &sz) ||\n-+\t grub_add (sz, 1, &sz))\n-+\t {\n-+\t grub_free (direl);\n-+\t grub_free (path_alloc);\n-+\t grub_free (origpath);\n-+\t return grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"buffer size overflow\"));\n-+\t }\n-+\t tmp = grub_malloc (sz);\n- \t if (!tmp)\n- \t {\n- \t grub_free (direl);\n-@@ -2078,6 +2093,7 @@ grub_btrfs_dir (grub_device_t device, const char *path,\n- grub_uint64_t tree;\n- grub_uint8_t type;\n- grub_size_t est_size = 0;\n-+ grub_size_t sz;\n- \n- if (!data)\n- return grub_errno;\n-@@ -2119,9 +2135,15 @@ grub_btrfs_dir (grub_device_t device, const char *path,\n- \t}\n- if (elemsize > allocated)\n- \t{\n--\t allocated = 2 * elemsize;\n-+\t if (grub_mul (2, elemsize, &allocated) ||\n-+\t grub_add (allocated, 1, &sz))\n-+\t {\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"directory element size overflow\"));\n-+\t r = -grub_errno;\n-+\t break;\n-+\t }\n- \t grub_free (direl);\n--\t direl = grub_malloc (allocated + 1);\n-+\t direl = grub_malloc (sz);\n- \t if (!direl)\n- \t {\n- \t r = -grub_errno;\n-diff --git a/grub-core/fs/cpio_common.c b/grub-core/fs/cpio_common.c\n-index 5d41b6fdb..6ba58b354 100644\n---- a/grub-core/fs/cpio_common.c\n-+++ b/grub-core/fs/cpio_common.c\n-@@ -24,6 +24,7 @@\n- #include <grub/dl.h>\n- #include <grub/i18n.h>\n- #include <grub/archelp.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -48,6 +49,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- struct head hd;\n- grub_size_t namesize;\n- grub_uint32_t modeval;\n-+ grub_size_t sz;\n- \n- data->hofs = data->next_hofs;\n- \n-@@ -76,7 +78,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- \n- *mode = modeval;\n- \n-- *name = grub_malloc (namesize + 1);\n-+ if (grub_add (namesize, 1, &sz))\n-+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"file name size overflow\"));\n-+\n-+ *name = grub_malloc (sz);\n- if (*name == NULL)\n- return grub_errno;\n- \n-@@ -110,10 +115,17 @@ grub_cpio_get_link_target (struct grub_archelp_data *data)\n- {\n- char *ret;\n- grub_err_t err;\n-+ grub_size_t sz;\n- \n- if (data->size == 0)\n- return grub_strdup (\"\");\n-- ret = grub_malloc (data->size + 1);\n-+\n-+ if (grub_add (data->size, 1, &sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"target data size overflow\"));\n-+ return NULL;\n-+ }\n-+ ret = grub_malloc (sz);\n- if (!ret)\n- return NULL;\n- \n-diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c\n-index f6d6beaa5..72b4aa1e6 100644\n---- a/grub-core/fs/f2fs.c\n-+++ b/grub-core/fs/f2fs.c\n-@@ -28,6 +28,7 @@\n- #include <grub/types.h>\n- #include <grub/charset.h>\n- #include <grub/fshelp.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -958,6 +959,7 @@ grub_f2fs_read_symlink (grub_fshelp_node_t node)\n- char *symlink;\n- struct grub_fshelp_node *diro = node;\n- grub_uint64_t filesize;\n-+ grub_size_t sz;\n- \n- if (!diro->inode_read)\n- {\n-@@ -968,7 +970,12 @@ grub_f2fs_read_symlink (grub_fshelp_node_t node)\n- \n- filesize = grub_f2fs_file_size(&diro->inode.i);\n- \n-- symlink = grub_malloc (filesize + 1);\n-+ if (grub_add (filesize, 1, &sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"symlink size overflow\"));\n-+ return 0;\n-+ }\n-+ symlink = grub_malloc (sz);\n- if (!symlink)\n- return 0;\n- \n-@@ -997,6 +1004,7 @@ grub_f2fs_check_dentries (struct grub_f2fs_dir_iter_ctx *ctx)\n- enum FILE_TYPE ftype;\n- int name_len;\n- int ret;\n-+ int sz;\n- \n- if (grub_f2fs_test_bit_le (i, ctx->bitmap) == 0)\n- {\n-@@ -1010,7 +1018,12 @@ grub_f2fs_check_dentries (struct grub_f2fs_dir_iter_ctx *ctx)\n- if (name_len >= F2FS_NAME_LEN)\n- return 0;\n- \n-- filename = grub_malloc (name_len + 1);\n-+ if (grub_add (name_len, 1, &sz))\n-+\t{\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"directory entry name length overflow\"));\n-+\t return 0;\n-+\t}\n-+ filename = grub_malloc (sz);\n- if (!filename)\n- return 0;\n- \n-diff --git a/grub-core/fs/ntfscomp.c b/grub-core/fs/ntfscomp.c\n-index a009f2c2d..f168a318e 100644\n---- a/grub-core/fs/ntfscomp.c\n-+++ b/grub-core/fs/ntfscomp.c\n-@@ -22,6 +22,7 @@\n- #include <grub/disk.h>\n- #include <grub/dl.h>\n- #include <grub/ntfs.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -310,6 +311,7 @@ ntfscomp (grub_uint8_t *dest, grub_disk_addr_t ofs,\n- {\n- grub_err_t ret;\n- grub_disk_addr_t vcn;\n-+ int log_sz;\n- \n- if (ctx->attr->sbuf)\n- {\n-@@ -349,7 +351,12 @@ ntfscomp (grub_uint8_t *dest, grub_disk_addr_t ofs,\n- }\n- \n- ctx->comp.comp_head = ctx->comp.comp_tail = 0;\n-- ctx->comp.cbuf = grub_malloc (1 << (ctx->comp.log_spc + GRUB_NTFS_BLK_SHR));\n-+ if (grub_add (ctx->comp.log_spc, GRUB_NTFS_BLK_SHR, &log_sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"compression buffer size overflow\"));\n-+ return 0;\n-+ }\n-+ ctx->comp.cbuf = grub_malloc (1 << log_sz);\n- if (!ctx->comp.cbuf)\n- return 0;\n- \n-diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c\n-index 6e9d63874..f91ff3bfa 100644\n---- a/grub-core/fs/squash4.c\n-+++ b/grub-core/fs/squash4.c\n-@@ -460,11 +460,11 @@ grub_squash_read_symlink (grub_fshelp_node_t node)\n- {\n- char *ret;\n- grub_err_t err;\n-- grub_size_t sz;\n-+ grub_uint32_t sz;\n- \n- if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz))\n- {\n-- grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow is detected\"));\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"symlink name length overflow\"));\n- return NULL;\n- }\n- \n-@@ -580,6 +580,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,\n- \t struct grub_squash_dirent di;\n- \t struct grub_squash_inode ino;\n- \t grub_size_t sz;\n-+\t grub_uint16_t nlen;\n- \n- \t err = read_chunk (dir->data, &di, sizeof (di),\n- \t\t\t grub_le_to_cpu64 (dir->data->sb.diroffset)\n-@@ -595,7 +596,12 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,\n- \t if (err)\n- \t return 0;\n- \n--\t buf = grub_malloc (grub_le_to_cpu16 (di.namelen) + 2);\n-+\t if (grub_add (grub_le_to_cpu16 (di.namelen), 2, &nlen))\n-+\t {\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"name length overflow\"));\n-+\t return 0;\n-+\t }\n-+\t buf = grub_malloc (nlen);\n- \t if (!buf)\n- \t return 0;\n- \t err = read_chunk (dir->data, buf,\n-diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c\n-index 74feeb86a..70c9f449b 100644\n---- a/grub-core/fs/xfs.c\n-+++ b/grub-core/fs/xfs.c\n-@@ -718,6 +718,7 @@ static char *\n- grub_xfs_read_symlink (grub_fshelp_node_t node)\n- {\n- grub_ssize_t size = grub_be_to_cpu64 (node->inode.size);\n-+ grub_size_t sz;\n- \n- if (size < 0)\n- {\n-@@ -739,7 +740,12 @@ grub_xfs_read_symlink (grub_fshelp_node_t node)\n- \tif (node->data->hascrc)\n- \t off = 56;\n- \n--\tsymlink = grub_malloc (size + 1);\n-+\tif (grub_add (size, 1, &sz))\n-+\t {\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"symlink size overflow\"));\n-+\t return 0;\n-+\t }\n-+\tsymlink = grub_malloc (sz);\n- \tif (!symlink)\n- \t return 0;\n- \n-@@ -789,8 +795,15 @@ static int iterate_dir_call_hook (grub_uint64_t ino, const char *filename,\n- {\n- struct grub_fshelp_node *fdiro;\n- grub_err_t err;\n-+ grub_size_t sz;\n- \n-- fdiro = grub_malloc (grub_xfs_fshelp_size(ctx->diro->data) + 1);\n-+ if (grub_add (grub_xfs_fshelp_size(ctx->diro->data), 1, &sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"directory data size overflow\"));\n-+ grub_print_error ();\n-+ return 0;\n-+ }\n-+ fdiro = grub_malloc (sz);\n- if (!fdiro)\n- {\n- grub_print_error ();\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0050-fs-Prevent-overflows-when-allocating-memory-for-arra.patch b/boot/grub2/0050-fs-Prevent-overflows-when-allocating-memory-for-arra.patch\ndeleted file mode 100644\nindex ce84e677c3..0000000000\n--- a/boot/grub2/0050-fs-Prevent-overflows-when-allocating-memory-for-arra.patch\n+++ /dev/null\n@@ -1,87 +0,0 @@\n-From 593d7b8659bef80b1f6ae3b793332d8eca8b8131 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Tue, 21 Jan 2025 19:02:37 +0000\n-Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays\n-\n-Use grub_calloc() when allocating memory for arrays to ensure proper\n-overflow checks are in place.\n-\n-The HFS+ and squash4 security vulnerabilities were reported by\n-Jonathan Bar Or <jonathanbaror@gmail.com>.\n-\n-CVE: CVE-2025-0678\n-CVE: CVE-2025-1125\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 84bc0a9a68835952ae69165c11709811dae7634e\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/btrfs.c | 4 ++--\n- grub-core/fs/hfspluscomp.c | 9 +++++++--\n- grub-core/fs/squash4.c | 8 ++++----\n- 3 files changed, 13 insertions(+), 8 deletions(-)\n-\n-diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c\n-index 0625b1166..9c1e925c9 100644\n---- a/grub-core/fs/btrfs.c\n-+++ b/grub-core/fs/btrfs.c\n-@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev)\n- }\n- \n- data->n_devices_allocated = 16;\n-- data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])\n--\t\t\t\t\t* data->n_devices_allocated);\n-+ data->devices_attached = grub_calloc (data->n_devices_allocated,\n-+\t\t\t\t\tsizeof (data->devices_attached[0]));\n- if (!data->devices_attached)\n- {\n- grub_free (data);\n-diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c\n-index 48ae438d8..a80954ee6 100644\n---- a/grub-core/fs/hfspluscomp.c\n-+++ b/grub-core/fs/hfspluscomp.c\n-@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)\n- \t return 0;\n- \t}\n- node->compress_index_size = grub_le_to_cpu32 (index_size);\n-- node->compress_index = grub_malloc (node->compress_index_size\n--\t\t\t\t\t * sizeof (node->compress_index[0]));\n-+ node->compress_index = grub_calloc (node->compress_index_size,\n-+\t\t\t\t\t sizeof (node->compress_index[0]));\n- if (!node->compress_index)\n- \t{\n- \t node->compressed = 0;\n- \t grub_free (attr_node);\n- \t return grub_errno;\n- \t}\n-+\n-+ /*\n-+ * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here\n-+ * due to relevant checks done in grub_calloc() above.\n-+ */\n- if (grub_hfsplus_read_file (node, 0, 0,\n- \t\t\t\t 0x104 + sizeof (index_size),\n- \t\t\t\t node->compress_index_size\n-diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c\n-index f91ff3bfa..cf2bca822 100644\n---- a/grub-core/fs/squash4.c\n-+++ b/grub-core/fs/squash4.c\n-@@ -822,10 +822,10 @@ direct_read (struct grub_squash_data *data,\n- \t break;\n- \t}\n- total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);\n-- ino->block_sizes = grub_malloc (total_blocks\n--\t\t\t\t * sizeof (ino->block_sizes[0]));\n-- ino->cumulated_block_sizes = grub_malloc (total_blocks\n--\t\t\t\t\t\t* sizeof (ino->cumulated_block_sizes[0]));\n-+ ino->block_sizes = grub_calloc (total_blocks,\n-+\t\t\t\t sizeof (ino->block_sizes[0]));\n-+ ino->cumulated_block_sizes = grub_calloc (total_blocks,\n-+\t\t\t\t\t\tsizeof (ino->cumulated_block_sizes[0]));\n- if (!ino->block_sizes || !ino->cumulated_block_sizes)\n- \t{\n- \t grub_free (ino->block_sizes);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0051-fs-Prevent-overflows-when-assigning-returned-values-.patch b/boot/grub2/0051-fs-Prevent-overflows-when-assigning-returned-values-.patch\ndeleted file mode 100644\nindex f1438a28fe..0000000000\n--- a/boot/grub2/0051-fs-Prevent-overflows-when-assigning-returned-values-.patch\n+++ /dev/null\n@@ -1,110 +0,0 @@\n-From 639711967a296edb0704c3d2c31691076d46f565 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Tue, 21 Jan 2025 19:02:38 +0000\n-Subject: [PATCH] fs: Prevent overflows when assigning returned values from\n- read_number()\n-\n-The direct assignment of the unsigned long long value returned by\n-read_number() can potentially lead to an overflow on a 32-bit systems.\n-The fix replaces the direct assignments with calls to grub_cast()\n-which detects the overflows and safely assigns the values if no\n-overflow is detected.\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: cde9f7f338f8f5771777f0e7dfc423ddf952ad31\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/cpio_common.c | 18 ++++++++++++++----\n- grub-core/fs/tar.c | 23 ++++++++++++++++-------\n- 2 files changed, 30 insertions(+), 11 deletions(-)\n-\n-diff --git a/grub-core/fs/cpio_common.c b/grub-core/fs/cpio_common.c\n-index 6ba58b354..45ac119a8 100644\n---- a/grub-core/fs/cpio_common.c\n-+++ b/grub-core/fs/cpio_common.c\n-@@ -62,11 +62,21 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- #endif\n- )\n- return grub_error (GRUB_ERR_BAD_FS, \"invalid cpio archive\");\n-- data->size = read_number (hd.filesize, ARRAY_SIZE (hd.filesize));\n-+\n-+ if (grub_cast (read_number (hd.filesize, ARRAY_SIZE (hd.filesize)), &data->size))\n-+ return grub_error (GRUB_ERR_BAD_FS, N_(\"data size overflow\"));\n-+\n- if (mtime)\n-- *mtime = read_number (hd.mtime, ARRAY_SIZE (hd.mtime));\n-- modeval = read_number (hd.mode, ARRAY_SIZE (hd.mode));\n-- namesize = read_number (hd.namesize, ARRAY_SIZE (hd.namesize));\n-+ {\n-+ if (grub_cast (read_number (hd.mtime, ARRAY_SIZE (hd.mtime)), mtime))\n-+\treturn grub_error (GRUB_ERR_BAD_FS, N_(\"mtime overflow\"));\n-+ }\n-+\n-+ if (grub_cast (read_number (hd.mode, ARRAY_SIZE (hd.mode)), &modeval))\n-+ return grub_error (GRUB_ERR_BAD_FS, N_(\"mode overflow\"));\n-+\n-+ if (grub_cast (read_number (hd.namesize, ARRAY_SIZE (hd.namesize)), &namesize))\n-+ return grub_error (GRUB_ERR_BAD_FS, N_(\"namesize overflow\"));\n- \n- /* Don't allow negative numbers. */\n- if (namesize >= 0x80000000)\n-diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c\n-index fd2ec1f74..1eaa5349f 100644\n---- a/grub-core/fs/tar.c\n-+++ b/grub-core/fs/tar.c\n-@@ -99,9 +99,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- if (hd.typeflag == 'L')\n- \t{\n- \t grub_err_t err;\n--\t grub_size_t namesize = read_number (hd.size, sizeof (hd.size));\n-+\t grub_size_t namesize;\n- \n--\t if (grub_add (namesize, 1, &sz))\n-+\t if (grub_cast (read_number (hd.size, sizeof (hd.size)), &namesize) ||\n-+\t grub_add (namesize, 1, &sz))\n- \t return grub_error (GRUB_ERR_BAD_FS, N_(\"name size overflow\"));\n- \n- \t *name = grub_malloc (sz);\n-@@ -123,9 +124,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- if (hd.typeflag == 'K')\n- \t{\n- \t grub_err_t err;\n--\t grub_size_t linksize = read_number (hd.size, sizeof (hd.size));\n-+\t grub_size_t linksize;\n- \n--\t if (grub_add (linksize, 1, &sz))\n-+\t if (grub_cast (read_number (hd.size, sizeof (hd.size)), &linksize) ||\n-+\t grub_add (linksize, 1, &sz))\n- \t return grub_error (GRUB_ERR_BAD_FS, N_(\"link size overflow\"));\n- \n- \t if (data->linkname_alloc < sz)\n-@@ -174,15 +176,22 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,\n- \t (*name)[extra_size + sizeof (hd.name)] = 0;\n- \t}\n- \n-- data->size = read_number (hd.size, sizeof (hd.size));\n-+ if (grub_cast (read_number (hd.size, sizeof (hd.size)), &data->size))\n-+\treturn grub_error (GRUB_ERR_BAD_FS, N_(\"data size overflow\"));\n-+\n- data->dofs = data->hofs + GRUB_DISK_SECTOR_SIZE;\n- data->next_hofs = data->dofs + ((data->size + GRUB_DISK_SECTOR_SIZE - 1) &\n- \t\t\t ~(GRUB_DISK_SECTOR_SIZE - 1));\n- if (mtime)\n--\t*mtime = read_number (hd.mtime, sizeof (hd.mtime));\n-+\t{\n-+\t if (grub_cast (read_number (hd.mtime, sizeof (hd.mtime)), mtime))\n-+\t return grub_error (GRUB_ERR_BAD_FS, N_(\"mtime overflow\"));\n-+\t}\n- if (mode)\n- \t{\n--\t *mode = read_number (hd.mode, sizeof (hd.mode));\n-+\t if (grub_cast (read_number (hd.mode, sizeof (hd.mode)), mode))\n-+\t return grub_error (GRUB_ERR_BAD_FS, N_(\"mode overflow\"));\n-+\n- \t switch (hd.typeflag)\n- \t {\n- \t /* Hardlink. */\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0052-fs-zfs-Use-safe-math-macros-to-prevent-overflows.patch b/boot/grub2/0052-fs-zfs-Use-safe-math-macros-to-prevent-overflows.patch\ndeleted file mode 100644\nindex bbf93dd0b4..0000000000\n--- a/boot/grub2/0052-fs-zfs-Use-safe-math-macros-to-prevent-overflows.patch\n+++ /dev/null\n@@ -1,143 +0,0 @@\n-From bd4fcbdbd9835716213debce07f08c81311ce9a6 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Wed, 22 Jan 2025 07:17:02 +0000\n-Subject: [PATCH] fs/zfs: Use safe math macros to prevent overflows\n-\n-Replace direct arithmetic operations with macros from include/grub/safemath.h\n-to prevent potential overflow issues when calculating the memory sizes.\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 88e491a0f744c6b19b6d4caa300a576ba56db7c9\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/zfs/zfs.c | 50 +++++++++++++++++++++++++++++++++++++-----\n- 1 file changed, 44 insertions(+), 6 deletions(-)\n-\n-diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c\n-index a497b1869..2f303d655 100644\n---- a/grub-core/fs/zfs/zfs.c\n-+++ b/grub-core/fs/zfs/zfs.c\n-@@ -2387,6 +2387,7 @@ fzap_iterate (dnode_end_t * zap_dnode, zap_phys_t * zap,\n- \t\t\t\t\t zap_dnode->endian) << DNODE_SHIFT);\n- grub_err_t err;\n- grub_zfs_endian_t endian;\n-+ grub_size_t sz;\n- \n- if (zap_verify (zap, zap_dnode->endian))\n- return 0;\n-@@ -2448,8 +2449,14 @@ fzap_iterate (dnode_end_t * zap_dnode, zap_phys_t * zap,\n- \t if (le->le_type != ZAP_CHUNK_ENTRY)\n- \t continue;\n- \n--\t buf = grub_malloc (grub_zfs_to_cpu16 (le->le_name_length, endian)\n--\t\t\t * name_elem_length + 1);\n-+\t if (grub_mul (grub_zfs_to_cpu16 (le->le_name_length, endian), name_elem_length, &sz) ||\n-+\t grub_add (sz, 1, &sz))\n-+\t {\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"buffer size overflow\"));\n-+\t grub_free (l);\n-+\t return grub_errno;\n-+\t }\n-+\t buf = grub_malloc (sz);\n- \t if (zap_leaf_array_get (l, endian, blksft,\n- \t\t\t\t grub_zfs_to_cpu16 (le->le_name_chunk,\n- \t\t\t\t\t\t endian),\n-@@ -2872,6 +2879,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,\n- \t && ((grub_zfs_to_cpu64(((znode_phys_t *) DN_BONUS (&dnode_path->dn.dn))->zp_mode, dnode_path->dn.endian) >> 12) & 0xf) == 0xa)\n- \t{\n- \t char *sym_value;\n-+\t grub_size_t sz;\n- \t grub_size_t sym_sz;\n- \t int free_symval = 0;\n- \t char *oldpath = path, *oldpathbuf = path_buf;\n-@@ -2923,7 +2931,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,\n- \t\t break;\n- \t free_symval = 1;\n- \t }\n--\t path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);\n-+\n-+\t if (grub_add (sym_sz, grub_strlen (oldpath), &sz) ||\n-+\t grub_add (sz, 1, &sz))\n-+\t {\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"path buffer size overflow\"));\n-+\t grub_free (oldpathbuf);\n-+\t if (free_symval)\n-+\t\tgrub_free (sym_value);\n-+\t err = grub_errno;\n-+\t break;\n-+\t }\n-+\t path = path_buf = grub_malloc (sz);\n- \t if (!path_buf)\n- \t {\n- \t grub_free (oldpathbuf);\n-@@ -2960,6 +2979,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,\n- \t{\n- \t void *sahdrp;\n- \t int hdrsize;\n-+\t grub_size_t sz;\n- \n- \t if (dnode_path->dn.dn.dn_bonuslen != 0)\n- \t {\n-@@ -2993,7 +3013,15 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,\n- \t\t\t\t\t\t\t + SA_SIZE_OFFSET),\n- \t\t\t\t dnode_path->dn.endian);\n- \t char *oldpath = path, *oldpathbuf = path_buf;\n--\t path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);\n-+\t if (grub_add (sym_sz, grub_strlen (oldpath), &sz) ||\n-+\t\t grub_add (sz, 1, &sz))\n-+\t\t{\n-+\t\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"path buffer size overflow\"));\n-+\t\t grub_free (oldpathbuf);\n-+\t\t err = grub_errno;\n-+\t\t break;\n-+\t\t}\n-+\t path = path_buf = grub_malloc (sz);\n- \t if (!path_buf)\n- \t\t{\n- \t\t grub_free (oldpathbuf);\n-@@ -3568,6 +3596,7 @@ grub_zfs_nvlist_lookup_nvlist_array (const char *nvlist, const char *name,\n- unsigned i;\n- grub_size_t nelm;\n- int elemsize = 0;\n-+ int sz;\n- \n- found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST_ARRAY, &nvpair,\n- \t\t\t &size, &nelm);\n-@@ -3602,7 +3631,12 @@ grub_zfs_nvlist_lookup_nvlist_array (const char *nvlist, const char *name,\n- return 0;\n- }\n- \n-- ret = grub_zalloc (elemsize + sizeof (grub_uint32_t));\n-+ if (grub_add (elemsize, sizeof (grub_uint32_t), &sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"elemsize overflow\"));\n-+ return 0;\n-+ }\n-+ ret = grub_zalloc (sz);\n- if (!ret)\n- return 0;\n- grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));\n-@@ -4193,6 +4227,7 @@ iterate_zap_snap (const char *name, grub_uint64_t val,\n- struct grub_dirhook_info info;\n- char *name2;\n- int ret;\n-+ grub_size_t sz;\n- \n- dnode_end_t mdn;\n- \n-@@ -4213,7 +4248,10 @@ iterate_zap_snap (const char *name, grub_uint64_t val,\n- return 0;\n- }\n- \n-- name2 = grub_malloc (grub_strlen (name) + 2);\n-+ if (grub_add (grub_strlen (name), 2, &sz))\n-+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"name length overflow\"));\n-+\n-+ name2 = grub_malloc (sz);\n- name2[0] = '@';\n- grub_memcpy (name2 + 1, name, grub_strlen (name) + 1);\n- ret = ctx->hook (name2, &info, ctx->hook_data);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0053-fs-zfs-Prevent-overflows-when-allocating-memory-for-.patch b/boot/grub2/0053-fs-zfs-Prevent-overflows-when-allocating-memory-for-.patch\ndeleted file mode 100644\nindex 7cf5524195..0000000000\n--- a/boot/grub2/0053-fs-zfs-Prevent-overflows-when-allocating-memory-for-.patch\n+++ /dev/null\n@@ -1,45 +0,0 @@\n-From b39a42a7de6639c32829a5f4aff603190c69d689 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Wed, 22 Jan 2025 07:17:03 +0000\n-Subject: [PATCH] fs/zfs: Prevent overflows when allocating memory for arrays\n-\n-Use grub_calloc() when allocating memory for arrays to ensure proper\n-overflow checks are in place.\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 7f38e32c7ebeaebb79e2c71e3c7d5ea367d3a39c\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/zfs/zfs.c | 8 ++++----\n- 1 file changed, 4 insertions(+), 4 deletions(-)\n-\n-diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c\n-index 2f303d655..9ab7bf319 100644\n---- a/grub-core/fs/zfs/zfs.c\n-+++ b/grub-core/fs/zfs/zfs.c\n-@@ -723,8 +723,8 @@ fill_vdev_info_real (struct grub_zfs_data *data,\n- \t{\n- \t fill->n_children = nelm;\n- \n--\t fill->children = grub_zalloc (fill->n_children\n--\t\t\t\t\t* sizeof (fill->children[0]));\n-+\t fill->children = grub_calloc (fill->n_children,\n-+\t\t\t\t\tsizeof (fill->children[0]));\n- \t}\n- \n- for (i = 0; i < nelm; i++)\n-@@ -3712,8 +3712,8 @@ zfs_mount (grub_device_t dev)\n- #endif\n- \n- data->n_devices_allocated = 16;\n-- data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])\n--\t\t\t\t\t* data->n_devices_allocated);\n-+ data->devices_attached = grub_calloc (data->n_devices_allocated,\n-+\t\t\t\t\tsizeof (data->devices_attached[0]));\n- data->n_devices_attached = 0;\n- err = scan_disk (dev, data, 1, &inserted);\n- if (err)\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0054-fs-zfs-Check-if-returned-pointer-for-allocated-memor.patch b/boot/grub2/0054-fs-zfs-Check-if-returned-pointer-for-allocated-memor.patch\ndeleted file mode 100644\nindex 1c208a7540..0000000000\n--- a/boot/grub2/0054-fs-zfs-Check-if-returned-pointer-for-allocated-memor.patch\n+++ /dev/null\n@@ -1,93 +0,0 @@\n-From 177ae1f6b05fbe5a8c8e83d468c189ff339d608f Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Wed, 22 Jan 2025 07:17:01 +0000\n-Subject: [PATCH] fs/zfs: Check if returned pointer for allocated memory is\n- NULL\n-\n-When using grub_malloc() or grub_zalloc(), these functions can fail if\n-we are out of memory. After allocating memory we should check if these\n-functions returned NULL and handle this error if they did.\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 13065f69dae0eeb60813809026de5bd021051892\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/zfs/zfs.c | 26 ++++++++++++++++++++++++++\n- 1 file changed, 26 insertions(+)\n-\n-diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c\n-index 9ab7bf319..6e6d1c921 100644\n---- a/grub-core/fs/zfs/zfs.c\n-+++ b/grub-core/fs/zfs/zfs.c\n-@@ -614,6 +614,8 @@ zfs_fetch_nvlist (struct grub_zfs_device_desc *diskdesc, char **nvlist)\n- return grub_error (GRUB_ERR_BUG, \"member drive unknown\");\n- \n- *nvlist = grub_malloc (VDEV_PHYS_SIZE);\n-+ if (!*nvlist)\n-+ return grub_errno;\n- \n- /* Read in the vdev name-value pair list (112K). */\n- err = grub_disk_read (diskdesc->dev->disk, diskdesc->vdev_phys_sector, 0,\n-@@ -725,6 +727,11 @@ fill_vdev_info_real (struct grub_zfs_data *data,\n- \n- \t fill->children = grub_calloc (fill->n_children,\n- \t\t\t\t\tsizeof (fill->children[0]));\n-+\t if (!fill->children)\n-+\t {\n-+\t grub_free (type);\n-+\t return grub_errno;\n-+\t }\n- \t}\n- \n- for (i = 0; i < nelm; i++)\n-@@ -2457,6 +2464,11 @@ fzap_iterate (dnode_end_t * zap_dnode, zap_phys_t * zap,\n- \t return grub_errno;\n- \t }\n- \t buf = grub_malloc (sz);\n-+\t if (!buf)\n-+\t {\n-+\t grub_free (l);\n-+\t return grub_errno;\n-+\t }\n- \t if (zap_leaf_array_get (l, endian, blksft,\n- \t\t\t\t grub_zfs_to_cpu16 (le->le_name_chunk,\n- \t\t\t\t\t\t endian),\n-@@ -2472,6 +2484,12 @@ fzap_iterate (dnode_end_t * zap_dnode, zap_phys_t * zap,\n- \t val_length = ((int) le->le_value_length\n- \t\t\t* (int) le->le_int_size);\n- \t val = grub_malloc (grub_zfs_to_cpu16 (val_length, endian));\n-+\t if (!val)\n-+\t {\n-+\t grub_free (l);\n-+\t grub_free (buf);\n-+\t return grub_errno;\n-+\t }\n- \t if (zap_leaf_array_get (l, endian, blksft,\n- \t\t\t\t grub_zfs_to_cpu16 (le->le_value_chunk,\n- \t\t\t\t\t\t endian),\n-@@ -3714,6 +3732,11 @@ zfs_mount (grub_device_t dev)\n- data->n_devices_allocated = 16;\n- data->devices_attached = grub_calloc (data->n_devices_allocated,\n- \t\t\t\t\tsizeof (data->devices_attached[0]));\n-+ if (!data->devices_attached)\n-+ {\n-+ grub_free (data);\n-+ return NULL;\n-+ }\n- data->n_devices_attached = 0;\n- err = scan_disk (dev, data, 1, &inserted);\n- if (err)\n-@@ -4252,6 +4275,9 @@ iterate_zap_snap (const char *name, grub_uint64_t val,\n- return grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"name length overflow\"));\n- \n- name2 = grub_malloc (sz);\n-+ if (!name2)\n-+ return grub_errno;\n-+\n- name2[0] = '@';\n- grub_memcpy (name2 + 1, name, grub_strlen (name) + 1);\n- ret = ctx->hook (name2, &info, ctx->hook_data);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0055-fs-zfs-Add-missing-NULL-check-after-grub_strdup-call.patch b/boot/grub2/0055-fs-zfs-Add-missing-NULL-check-after-grub_strdup-call.patch\ndeleted file mode 100644\nindex 0fcb427b74..0000000000\n--- a/boot/grub2/0055-fs-zfs-Add-missing-NULL-check-after-grub_strdup-call.patch\n+++ /dev/null\n@@ -1,29 +0,0 @@\n-From f60272b284e98ecd4ee38ec06aab6587cf525616 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Wed, 22 Jan 2025 07:17:04 +0000\n-Subject: [PATCH] fs/zfs: Add missing NULL check after grub_strdup() call\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: dd6a4c8d10e02ca5056681e75795041a343636e4\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/zfs/zfs.c | 2 ++\n- 1 file changed, 2 insertions(+)\n-\n-diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c\n-index 6e6d1c921..5ff647ffb 100644\n---- a/grub-core/fs/zfs/zfs.c\n-+++ b/grub-core/fs/zfs/zfs.c\n-@@ -3309,6 +3309,8 @@ dnode_get_fullpath (const char *fullpath, struct subvolume *subvol,\n- filename = 0;\n- snapname = 0;\n- fsname = grub_strdup (fullpath);\n-+ if (!fsname)\n-+\treturn grub_errno;\n- }\n- else\n- {\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0056-net-Use-safe-math-macros-to-prevent-overflows.patch b/boot/grub2/0056-net-Use-safe-math-macros-to-prevent-overflows.patch\ndeleted file mode 100644\nindex 111bfdf58a..0000000000\n--- a/boot/grub2/0056-net-Use-safe-math-macros-to-prevent-overflows.patch\n+++ /dev/null\n@@ -1,250 +0,0 @@\n-From 6cb15ce33f7c7153ef986f3fe710e22062d37ba7 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Wed, 22 Jan 2025 18:04:42 +0000\n-Subject: [PATCH] net: Use safe math macros to prevent overflows\n-\n-Replace direct arithmetic operations with macros from include/grub/safemath.h\n-to prevent potential overflow issues when calculating the memory sizes.\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-\n-Conflicts:\n-\tgrub-core/net/bootp.c\n-\tgrub-core/net/net.c\n-\n-Upstream: 4beeff8a31c4fb4071d2225533cfa316b5a58391\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/net/bootp.c | 16 ++++++++--\n- grub-core/net/dns.c | 9 +++++-\n- grub-core/net/drivers/ieee1275/ofnet.c | 20 ++++++++++--\n- grub-core/net/net.c | 43 +++++++++++++++++++++-----\n- 4 files changed, 75 insertions(+), 13 deletions(-)\n-\n-diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c\n-index abe45ef7b..2f45a3cc2 100644\n---- a/grub-core/net/bootp.c\n-+++ b/grub-core/net/bootp.c\n-@@ -24,6 +24,7 @@\n- #include <grub/net/netbuff.h>\n- #include <grub/net/udp.h>\n- #include <grub/datetime.h>\n-+#include <grub/safemath.h>\n- \n- struct grub_dhcp_discover_options\n- {\n-@@ -686,6 +687,7 @@ grub_cmd_dhcpopt (struct grub_command *cmd __attribute__ ((unused)),\n- unsigned num;\n- const grub_uint8_t *ptr;\n- grub_uint8_t taglength;\n-+ grub_uint8_t len;\n- \n- if (argc < 4)\n- return grub_error (GRUB_ERR_BAD_ARGUMENT,\n-@@ -727,7 +729,12 @@ grub_cmd_dhcpopt (struct grub_command *cmd __attribute__ ((unused)),\n- if (grub_strcmp (args[3], \"string\") == 0)\n- {\n- grub_err_t err = GRUB_ERR_NONE;\n-- char *val = grub_malloc (taglength + 1);\n-+ char *val;\n-+\n-+ if (grub_add (taglength, 1, &len))\n-+\treturn grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"tag length overflow\"));\n-+\n-+ val = grub_malloc (len);\n- if (!val)\n- \treturn grub_errno;\n- grub_memcpy (val, ptr, taglength);\n-@@ -760,7 +767,12 @@ grub_cmd_dhcpopt (struct grub_command *cmd __attribute__ ((unused)),\n- if (grub_strcmp (args[3], \"hex\") == 0)\n- {\n- grub_err_t err = GRUB_ERR_NONE;\n-- char *val = grub_malloc (2 * taglength + 1);\n-+ char *val;\n-+\n-+ if (grub_mul (taglength, 2, &len) || grub_add (len, 1, &len))\n-+\treturn grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"tag length overflow\"));\n-+\n-+ val = grub_malloc (len);\n- int i;\n- if (!val)\n- \treturn grub_errno;\n-diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c\n-index fcc09aa65..39b0c46cf 100644\n---- a/grub-core/net/dns.c\n-+++ b/grub-core/net/dns.c\n-@@ -224,10 +224,17 @@ get_name (const grub_uint8_t *name_at, const grub_uint8_t *head,\n- {\n- int length;\n- char *ret;\n-+ int len;\n- \n- if (!check_name_real (name_at, head, tail, NULL, &length, NULL))\n- return NULL;\n-- ret = grub_malloc (length + 1);\n-+\n-+ if (grub_add (length, 1, &len))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"name length overflow\"));\n-+ return NULL;\n-+ }\n-+ ret = grub_malloc (len);\n- if (!ret)\n- return NULL;\n- if (!check_name_real (name_at, head, tail, NULL, NULL, ret))\n-diff --git a/grub-core/net/drivers/ieee1275/ofnet.c b/grub-core/net/drivers/ieee1275/ofnet.c\n-index 78f03df8e..c35b107ad 100644\n---- a/grub-core/net/drivers/ieee1275/ofnet.c\n-+++ b/grub-core/net/drivers/ieee1275/ofnet.c\n-@@ -22,6 +22,7 @@\n- #include <grub/net.h>\n- #include <grub/time.h>\n- #include <grub/i18n.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -391,6 +392,7 @@ search_net_devices (struct grub_ieee1275_devalias *alias)\n- grub_uint8_t *pprop;\n- char *shortname;\n- char need_suffix = 1;\n-+ grub_size_t sz;\n- \n- if (grub_strcmp (alias->type, \"network\") != 0)\n- return 0;\n-@@ -448,9 +450,23 @@ search_net_devices (struct grub_ieee1275_devalias *alias)\n- }\n- \n- if (need_suffix)\n-- ofdata->path = grub_malloc (grub_strlen (alias->path) + sizeof (SUFFIX));\n-+ {\n-+ if (grub_add (grub_strlen (alias->path), sizeof (SUFFIX), &sz))\n-+\t{\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while obatining size of ofdata path\"));\n-+\t grub_print_error ();\n-+\t return 0;\n-+\t}\n-+ }\n- else\n-- ofdata->path = grub_malloc (grub_strlen (alias->path) + 1);\n-+ {\n-+ if (grub_add (grub_strlen (alias->path), 1, &sz))\n-+\t{\n-+\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while obatining size of ofdata path\"));\n-+\t grub_print_error ();\n-+\t return 0;\n-+\t}\n-+ }\n- if (!ofdata->path)\n- {\n- grub_print_error ();\n-diff --git a/grub-core/net/net.c b/grub-core/net/net.c\n-index 2bd490279..27df4669a 100644\n---- a/grub-core/net/net.c\n-+++ b/grub-core/net/net.c\n-@@ -32,6 +32,7 @@\n- #include <grub/loader.h>\n- #include <grub/bufio.h>\n- #include <grub/kernel.h>\n-+#include <grub/safemath.h>\n- \n- GRUB_MOD_LICENSE (\"GPLv3+\");\n- \n-@@ -206,6 +207,7 @@ grub_net_ipv6_get_slaac (struct grub_net_card *card,\n- {\n- struct grub_net_slaac_mac_list *slaac;\n- char *ptr;\n-+ grub_size_t sz;\n- \n- for (slaac = card->slaac_list; slaac; slaac = slaac->next)\n- if (grub_net_hwaddr_cmp (&slaac->address, hwaddr) == 0)\n-@@ -215,9 +217,16 @@ grub_net_ipv6_get_slaac (struct grub_net_card *card,\n- if (!slaac)\n- return NULL;\n- \n-- slaac->name = grub_malloc (grub_strlen (card->name)\n--\t\t\t + GRUB_NET_MAX_STR_HWADDR_LEN\n--\t\t\t + sizeof (\":slaac\"));\n-+ if (grub_add (grub_strlen (card->name),\n-+ (GRUB_NET_MAX_STR_HWADDR_LEN + sizeof (\":slaac\")), &sz))\n-+ {\n-+ grub_free (slaac);\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE,\n-+\t\t \"overflow detected while obtaining size of slaac name\");\n-+ return NULL;\n-+ }\n-+\n-+ slaac->name = grub_malloc (sz);\n- ptr = grub_stpcpy (slaac->name, card->name);\n- if (grub_net_hwaddr_cmp (&card->default_address, hwaddr) != 0)\n- {\n-@@ -288,6 +297,7 @@ grub_net_ipv6_get_link_local (struct grub_net_card *card,\n- char *name;\n- char *ptr;\n- grub_net_network_level_address_t addr;\n-+ grub_size_t sz;\n- \n- addr.type = GRUB_NET_NETWORK_LEVEL_PROTOCOL_IPV6;\n- addr.ipv6[0] = grub_cpu_to_be64_compile_time (0xfe80ULL << 48);\n-@@ -302,9 +312,14 @@ grub_net_ipv6_get_link_local (struct grub_net_card *card,\n- return inf;\n- }\n- \n-- name = grub_malloc (grub_strlen (card->name)\n--\t\t + GRUB_NET_MAX_STR_HWADDR_LEN\n--\t\t + sizeof (\":link\"));\n-+ if (grub_add (grub_strlen (card->name),\n-+ (GRUB_NET_MAX_STR_HWADDR_LEN + sizeof (\":link\")), &sz))\n-+ {\n-+ grub_error (GRUB_ERR_OUT_OF_RANGE,\n-+\t\t \"overflow detected while obtaining size of link name\");\n-+ return NULL;\n-+ }\n-+ name = grub_malloc (sz);\n- if (!name)\n- return NULL;\n- \n-@@ -1435,9 +1450,15 @@ grub_net_open_real (const char *name)\n- \t if (grub_strchr (port_start + 1, ':'))\n- \t {\n- \t int iplen = grub_strlen (server);\n-+\t grub_size_t sz;\n- \n- \t /* Bracket bare IPv6 addr. */\n--\t host = grub_malloc (iplen + 3);\n-+\t if (grub_add (iplen, 3, &sz))\n-+\t\t{\n-+\t\t grub_error (GRUB_ERR_OUT_OF_RANGE, N_(\"overflow detected while obtaining length of host\"));\n-+\t\t return NULL;\n-+\t\t}\n-+\t host = grub_malloc (sz);\n- \t if (!host)\n- return NULL;\n- \n-@@ -1692,6 +1713,7 @@ grub_env_set_net_property (const char *intername, const char *suffix,\n- {\n- char *varname, *varvalue;\n- char *ptr;\n-+ grub_size_t sz;\n- \n- varname = grub_xasprintf (\"net_%s_%s\", intername, suffix);\n- if (!varname)\n-@@ -1699,7 +1721,12 @@ grub_env_set_net_property (const char *intername, const char *suffix,\n- for (ptr = varname; *ptr; ptr++)\n- if (*ptr == ':')\n- *ptr = '_';\n-- varvalue = grub_malloc (len + 1);\n-+ if (grub_add (len, 1, &sz))\n-+ {\n-+ grub_free (varname);\n-+ return grub_error (GRUB_ERR_OUT_OF_RANGE, \"overflow detected while obtaining the size of an env variable\");\n-+ }\n-+ varvalue = grub_malloc (sz);\n- if (!varvalue)\n- {\n- grub_free (varname);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0057-net-Prevent-overflows-when-allocating-memory-for-arr.patch b/boot/grub2/0057-net-Prevent-overflows-when-allocating-memory-for-arr.patch\ndeleted file mode 100644\nindex b4a50f6a4f..0000000000\n--- a/boot/grub2/0057-net-Prevent-overflows-when-allocating-memory-for-arr.patch\n+++ /dev/null\n@@ -1,50 +0,0 @@\n-From 5d483e4c7c5a20a17a413f0cc51decfbb5828a5a Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Wed, 22 Jan 2025 18:04:43 +0000\n-Subject: [PATCH] net: Prevent overflows when allocating memory for arrays\n-\n-Use grub_calloc() when allocating memory for arrays to ensure proper\n-overflow checks are in place.\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: dee2c14fd66bc497cdc74c69fde8c9b84637c8eb\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/net/dns.c | 4 ++--\n- grub-core/net/net.c | 4 ++--\n- 2 files changed, 4 insertions(+), 4 deletions(-)\n-\n-diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c\n-index 39b0c46cf..f20cd6f83 100644\n---- a/grub-core/net/dns.c\n-+++ b/grub-core/net/dns.c\n-@@ -470,8 +470,8 @@ grub_net_dns_lookup (const char *name,\n- \t && grub_get_time_ms () < dns_cache[h].limit_time)\n- \t{\n- \t grub_dprintf (\"dns\", \"retrieved from cache\\n\");\n--\t *addresses = grub_malloc (dns_cache[h].naddresses\n--\t\t\t\t * sizeof ((*addresses)[0]));\n-+\t *addresses = grub_calloc (dns_cache[h].naddresses,\n-+\t\t\t\t sizeof ((*addresses)[0]));\n- \t if (!*addresses)\n- \t return grub_errno;\n- \t *naddresses = dns_cache[h].naddresses;\n-diff --git a/grub-core/net/net.c b/grub-core/net/net.c\n-index 27df4669a..ea88ae8a8 100644\n---- a/grub-core/net/net.c\n-+++ b/grub-core/net/net.c\n-@@ -88,8 +88,8 @@ grub_net_link_layer_add_address (struct grub_net_card *card,\n- /* Add sender to cache table. */\n- if (card->link_layer_table == NULL)\n- {\n-- card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE\n--\t\t\t\t\t * sizeof (card->link_layer_table[0]));\n-+ card->link_layer_table = grub_calloc (LINK_LAYER_CACHE_SIZE,\n-+\t\t\t\t\t sizeof (card->link_layer_table[0]));\n- if (card->link_layer_table == NULL)\n- \treturn;\n- }\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0058-net-Check-if-returned-pointer-for-allocated-memory-i.patch b/boot/grub2/0058-net-Check-if-returned-pointer-for-allocated-memory-i.patch\ndeleted file mode 100644\nindex 4ed78b82bf..0000000000\n--- a/boot/grub2/0058-net-Check-if-returned-pointer-for-allocated-memory-i.patch\n+++ /dev/null\n@@ -1,36 +0,0 @@\n-From cc4c75dd3bf99f08fc2ef796b613c9413cf46399 Mon Sep 17 00:00:00 2001\n-From: Alec Brown <alec.r.brown@oracle.com>\n-Date: Wed, 22 Jan 2025 18:04:44 +0000\n-Subject: [PATCH] net: Check if returned pointer for allocated memory is NULL\n-\n-When using grub_malloc(), the function can fail if we are out of memory.\n-After allocating memory we should check if this function returned NULL\n-and handle this error if it did.\n-\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 1c06ec900591d1fab6fbacf80dc010541d0a5ec8\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/net/net.c | 5 +++++\n- 1 file changed, 5 insertions(+)\n-\n-diff --git a/grub-core/net/net.c b/grub-core/net/net.c\n-index ea88ae8a8..6774f4ad0 100644\n---- a/grub-core/net/net.c\n-+++ b/grub-core/net/net.c\n-@@ -227,6 +227,11 @@ grub_net_ipv6_get_slaac (struct grub_net_card *card,\n- }\n- \n- slaac->name = grub_malloc (sz);\n-+ if (slaac->name == NULL)\n-+ {\n-+ grub_free (slaac);\n-+ return NULL;\n-+ }\n- ptr = grub_stpcpy (slaac->name, card->name);\n- if (grub_net_hwaddr_cmp (&card->default_address, hwaddr) != 0)\n- {\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0059-fs-sfs-Check-if-allocated-memory-is-NULL.patch b/boot/grub2/0059-fs-sfs-Check-if-allocated-memory-is-NULL.patch\ndeleted file mode 100644\nindex baf4efbac6..0000000000\n--- a/boot/grub2/0059-fs-sfs-Check-if-allocated-memory-is-NULL.patch\n+++ /dev/null\n@@ -1,37 +0,0 @@\n-From afacc73c48934b66e18d9d12fef2ae6b44f105ea Mon Sep 17 00:00:00 2001\n-From: Alec Brown <alec.r.brown@oracle.com>\n-Date: Tue, 28 Jan 2025 05:15:50 +0000\n-Subject: [PATCH] fs/sfs: Check if allocated memory is NULL\n-\n-When using grub_zalloc(), if we are out of memory, this function can fail.\n-After allocating memory, we should check if grub_zalloc() returns NULL.\n-If so, we should handle this error.\n-\n-Fixes: CID 473856\n-\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Ross Philipson <ross.philipson@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: e3c578a56f9294e286b6028ca7c1def997a17b15\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/sfs.c | 3 +++\n- 1 file changed, 3 insertions(+)\n-\n-diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c\n-index 88705b3a2..bad4ae8d1 100644\n---- a/grub-core/fs/sfs.c\n-+++ b/grub-core/fs/sfs.c\n-@@ -429,6 +429,9 @@ grub_sfs_mount (grub_disk_t disk)\n- \t - 24 /* offsetof (struct grub_sfs_objc, objects) */\n- \t - 25); /* offsetof (struct grub_sfs_obj, filename) */\n- data->label = grub_zalloc (max_len + 1);\n-+ if (data->label == NULL)\n-+ goto fail;\n-+\n- grub_strncpy (data->label, (char *) rootobjc->objects[0].filename, max_len);\n- \n- grub_free (rootobjc_data);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0060-script-execute-Fix-potential-underflow-and-NULL-dere.patch b/boot/grub2/0060-script-execute-Fix-potential-underflow-and-NULL-dere.patch\ndeleted file mode 100644\nindex f84ee5de1f..0000000000\n--- a/boot/grub2/0060-script-execute-Fix-potential-underflow-and-NULL-dere.patch\n+++ /dev/null\n@@ -1,37 +0,0 @@\n-From 6cb70802581222ba80a37c3e2fd4b8357a859dad Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Wed, 29 Jan 2025 06:48:37 +0000\n-Subject: [PATCH] script/execute: Fix potential underflow and NULL dereference\n-\n-The result is initialized to 0 in grub_script_arglist_to_argv().\n-If the for loop condition is not met both result.args and result.argc\n-remain 0 causing result.argc - 1 to underflow and/or result.args NULL\n-dereference. Fix the issues by adding relevant checks.\n-\n-Fixes: CID 473880\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: d13b6e8ebd10b4eb16698a002aa40258cf6e6f0e\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/script/execute.c | 3 +++\n- 1 file changed, 3 insertions(+)\n-\n-diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c\n-index e1450f45d..a86e0051f 100644\n---- a/grub-core/script/execute.c\n-+++ b/grub-core/script/execute.c\n-@@ -760,6 +760,9 @@ cleanup:\n- \t}\n- }\n- \n-+ if (result.args == NULL || result.argc == 0)\n-+ goto fail;\n-+\n- if (! result.args[result.argc - 1])\n- result.argc--;\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0061-osdep-unix-getroot-Fix-potential-underflow.patch b/boot/grub2/0061-osdep-unix-getroot-Fix-potential-underflow.patch\ndeleted file mode 100644\nindex 6a5588c34e..0000000000\n--- a/boot/grub2/0061-osdep-unix-getroot-Fix-potential-underflow.patch\n+++ /dev/null\n@@ -1,40 +0,0 @@\n-From 050f09a5e16a935be4a4770f59f2a7ff977fc088 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Wed, 29 Jan 2025 06:48:38 +0000\n-Subject: [PATCH] osdep/unix/getroot: Fix potential underflow\n-\n-The entry_len is initialized in grub_find_root_devices_from_mountinfo()\n-to 0 before the while loop iterates through /proc/self/mountinfo. If the\n-file is empty or contains only invalid entries entry_len remains\n-0 causing entry_len - 1 in the subsequent for loop initialization\n-to underflow. To prevent this add a check to ensure entry_len > 0 before\n-entering the for loop.\n-\n-Fixes: CID 473877\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Reviewed-by: Ross Philipson <ross.philipson@oracle.com>\n-Upstream: 66733f7c7dae889861ea3ef3ec0710811486019e\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/osdep/linux/getroot.c | 3 +++\n- 1 file changed, 3 insertions(+)\n-\n-diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c\n-index 7dd775d2a..527d4f0c5 100644\n---- a/grub-core/osdep/linux/getroot.c\n-+++ b/grub-core/osdep/linux/getroot.c\n-@@ -484,6 +484,9 @@ again:\n- \t}\n- }\n- \n-+ if (!entry_len)\n-+ goto out;\n-+\n- /* Now scan visible mounts for the ones we're interested in. */\n- for (i = entry_len - 1; i >= 0; i--)\n- {\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0062-misc-Ensure-consistent-overflow-error-messages.patch b/boot/grub2/0062-misc-Ensure-consistent-overflow-error-messages.patch\ndeleted file mode 100644\nindex 2add69d943..0000000000\n--- a/boot/grub2/0062-misc-Ensure-consistent-overflow-error-messages.patch\n+++ /dev/null\n@@ -1,60 +0,0 @@\n-From 3a844f1139dd6fdcc90278239c8f6ea43aad9f2e Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Tue, 21 Jan 2025 19:02:39 +0000\n-Subject: [PATCH] misc: Ensure consistent overflow error messages\n-\n-Update the overflow error messages to make them consistent\n-across the GRUB code.\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: f8795cde217e21539c2f236bcbb1a4bf521086b3\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/ntfs.c | 2 +-\n- grub-core/fs/ntfscomp.c | 2 +-\n- grub-core/video/readers/png.c | 2 +-\n- 3 files changed, 3 insertions(+), 3 deletions(-)\n-\n-diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c\n-index bce81947c..b4c70a71d 100644\n---- a/grub-core/fs/ntfs.c\n-+++ b/grub-core/fs/ntfs.c\n-@@ -364,7 +364,7 @@ retry:\n- \t goto retry;\n- \t }\n- \t}\n-- return grub_error (GRUB_ERR_BAD_FS, \"run list overflown\");\n-+ return grub_error (GRUB_ERR_BAD_FS, \"run list overflow\");\n- }\n- ctx->curr_vcn = ctx->next_vcn;\n- ctx->next_vcn += read_run_data (run, c1, 0);\t/* length of current VCN */\n-diff --git a/grub-core/fs/ntfscomp.c b/grub-core/fs/ntfscomp.c\n-index f168a318e..b68bf5e40 100644\n---- a/grub-core/fs/ntfscomp.c\n-+++ b/grub-core/fs/ntfscomp.c\n-@@ -30,7 +30,7 @@ static grub_err_t\n- decomp_nextvcn (struct grub_ntfs_comp *cc)\n- {\n- if (cc->comp_head >= cc->comp_tail)\n-- return grub_error (GRUB_ERR_BAD_FS, \"compression block overflown\");\n-+ return grub_error (GRUB_ERR_BAD_FS, \"compression block overflow\");\n- if (grub_disk_read\n- (cc->disk,\n- (cc->comp_table[cc->comp_head].next_lcn -\n-diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c\n-index 3163e97bf..aa7524b7d 100644\n---- a/grub-core/video/readers/png.c\n-+++ b/grub-core/video/readers/png.c\n-@@ -626,7 +626,7 @@ static grub_err_t\n- grub_png_output_byte (struct grub_png_data *data, grub_uint8_t n)\n- {\n- if (--data->raw_bytes < 0)\n-- return grub_error (GRUB_ERR_BAD_FILE_TYPE, \"image size overflown\");\n-+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, \"image size overflow\");\n- \n- if (data->cur_column == 0)\n- {\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0063-bus-usb-ehci-Define-GRUB_EHCI_TOGGLE-as-grub_uint32_.patch b/boot/grub2/0063-bus-usb-ehci-Define-GRUB_EHCI_TOGGLE-as-grub_uint32_.patch\ndeleted file mode 100644\nindex 18d5e88087..0000000000\n--- a/boot/grub2/0063-bus-usb-ehci-Define-GRUB_EHCI_TOGGLE-as-grub_uint32_.patch\n+++ /dev/null\n@@ -1,35 +0,0 @@\n-From 12dae049169b978aaa1e162f40954910ad90f2df Mon Sep 17 00:00:00 2001\n-From: Alec Brown <alec.r.brown@oracle.com>\n-Date: Tue, 4 Feb 2025 15:11:10 +0000\n-Subject: [PATCH] bus/usb/ehci: Define GRUB_EHCI_TOGGLE as grub_uint32_t\n-\n-The Coverity indicates that GRUB_EHCI_TOGGLE is an int that contains\n-a negative value and we are using it for the variable token which is\n-grub_uint32_t. To remedy this we can cast the definition to grub_uint32_t.\n-\n-Fixes: CID 473851\n-\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 9907d9c2723304b42cf6da74f1cc6c4601391956\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/bus/usb/ehci.c | 2 +-\n- 1 file changed, 1 insertion(+), 1 deletion(-)\n-\n-diff --git a/grub-core/bus/usb/ehci.c b/grub-core/bus/usb/ehci.c\n-index 9abebc6bd..2db07c7c0 100644\n---- a/grub-core/bus/usb/ehci.c\n-+++ b/grub-core/bus/usb/ehci.c\n-@@ -218,7 +218,7 @@ enum\n- \n- #define GRUB_EHCI_TERMINATE (1<<0)\n- \n--#define GRUB_EHCI_TOGGLE (1<<31)\n-+#define GRUB_EHCI_TOGGLE ((grub_uint32_t) 1<<31)\n- \n- enum\n- {\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0064-normal-menu-Use-safe-math-to-avoid-an-integer-overfl.patch b/boot/grub2/0064-normal-menu-Use-safe-math-to-avoid-an-integer-overfl.patch\ndeleted file mode 100644\nindex 8dffc38fa4..0000000000\n--- a/boot/grub2/0064-normal-menu-Use-safe-math-to-avoid-an-integer-overfl.patch\n+++ /dev/null\n@@ -1,46 +0,0 @@\n-From 6fa61b113427cb9db600a4a2a2f38ce09595f15f Mon Sep 17 00:00:00 2001\n-From: Alec Brown <alec.r.brown@oracle.com>\n-Date: Tue, 4 Feb 2025 15:11:11 +0000\n-Subject: [PATCH] normal/menu: Use safe math to avoid an integer overflow\n-\n-The Coverity indicates that the variable current_entry might overflow.\n-To prevent this use safe math when adding GRUB_MENU_PAGE_SIZE to current_entry.\n-\n-On the occasion fix limiting condition which was broken.\n-\n-Fixes: CID 473853\n-\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 5b36a5210e21bee2624f8acc36aefd8f10266adb\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/normal/menu.c | 5 ++---\n- 1 file changed, 2 insertions(+), 3 deletions(-)\n-\n-diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c\n-index 6a90e091f..7ac6abf93 100644\n---- a/grub-core/normal/menu.c\n-+++ b/grub-core/normal/menu.c\n-@@ -32,6 +32,7 @@\n- #include <grub/script_sh.h>\n- #include <grub/gfxterm.h>\n- #include <grub/dl.h>\n-+#include <grub/safemath.h>\n- \n- /* Time to delay after displaying an error message about a default/fallback\n- entry failing to boot. */\n-@@ -751,9 +752,7 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot, int *notify_boot)\n- \n- \t case GRUB_TERM_CTRL | 'c':\n- \t case GRUB_TERM_KEY_NPAGE:\n--\t if (current_entry + GRUB_MENU_PAGE_SIZE < menu->size)\n--\t\tcurrent_entry += GRUB_MENU_PAGE_SIZE;\n--\t else\n-+\t if (grub_add (current_entry, GRUB_MENU_PAGE_SIZE, ¤t_entry) || current_entry >= menu->size)\n- \t\tcurrent_entry = menu->size - 1;\n- \t menu_set_chosen_entry (current_entry);\n- \t break;\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0065-kern-partition-Add-sanity-check-after-grub_strtoul-c.patch b/boot/grub2/0065-kern-partition-Add-sanity-check-after-grub_strtoul-c.patch\ndeleted file mode 100644\nindex 3f35ba5019..0000000000\n--- a/boot/grub2/0065-kern-partition-Add-sanity-check-after-grub_strtoul-c.patch\n+++ /dev/null\n@@ -1,51 +0,0 @@\n-From d5385ae4e4d0c443e188e43c2b0703b68aaf55a3 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Thu, 6 Feb 2025 18:16:56 +0000\n-Subject: [PATCH] kern/partition: Add sanity check after grub_strtoul() call\n-\n-The current code incorrectly assumes that both the input and the values\n-returned by grub_strtoul() are always valid which can lead to potential\n-errors. This fix ensures proper validation to prevent any unintended issues.\n-\n-Fixes: CID 473843\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 8e6e87e7923ca2ae880021cb42a35cc9bb4c8fe2\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/kern/partition.c | 12 ++++++++++--\n- 1 file changed, 10 insertions(+), 2 deletions(-)\n-\n-diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c\n-index 704512a20..c6a578cf4 100644\n---- a/grub-core/kern/partition.c\n-+++ b/grub-core/kern/partition.c\n-@@ -125,14 +125,22 @@ grub_partition_probe (struct grub_disk *disk, const char *str)\n- for (ptr = str; *ptr;)\n- {\n- grub_partition_map_t partmap;\n-- int num;\n-+ unsigned long num;\n- const char *partname, *partname_end;\n- \n- partname = ptr;\n- while (*ptr && grub_isalpha (*ptr))\n- \tptr++;\n- partname_end = ptr;\n-- num = grub_strtoul (ptr, &ptr, 0) - 1;\n-+\n-+ num = grub_strtoul (ptr, &ptr, 0);\n-+ if (*ptr != '\\0' || num == 0 || num > GRUB_INT_MAX)\n-+\t{\n-+\t grub_error (GRUB_ERR_BAD_NUMBER, N_(\"invalid partition number\"));\n-+\t return 0;\n-+\t}\n-+\n-+ num -= 1;\n- \n- curpart = 0;\n- /* Use the first partition map type found. */\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0066-kern-misc-Add-sanity-check-after-grub_strtoul-call.patch b/boot/grub2/0066-kern-misc-Add-sanity-check-after-grub_strtoul-call.patch\ndeleted file mode 100644\nindex 7e9e377154..0000000000\n--- a/boot/grub2/0066-kern-misc-Add-sanity-check-after-grub_strtoul-call.patch\n+++ /dev/null\n@@ -1,62 +0,0 @@\n-From 009d1b7189c6eba0b8d284c94a9ef7dc9db351d1 Mon Sep 17 00:00:00 2001\n-From: Lidong Chen <lidong.chen@oracle.com>\n-Date: Thu, 6 Feb 2025 18:16:57 +0000\n-Subject: [PATCH] kern/misc: Add sanity check after grub_strtoul() call\n-\n-When the format string, fmt0, includes a positional argument\n-grub_strtoul() or grub_strtoull() is called to extract the argument\n-position. However, the returned argument position isn't fully validated.\n-If the format is something like \"%0$x\" then these functions return\n-0 which leads to an underflow in the calculation of the args index, curn.\n-The fix is to add a check to ensure the extracted argument position is\n-greater than 0 before computing curn. Additionally, replace one\n-grub_strtoull() with grub_strtoul() and change curn type to make code\n-more correct.\n-\n-Fixes: CID 473841\n-\n-Signed-off-by: Lidong Chen <lidong.chen@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: a8d6b06331a75d75b46f3dd6cc6fcd40dcf604b7\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/kern/misc.c | 9 +++++++--\n- 1 file changed, 7 insertions(+), 2 deletions(-)\n-\n-diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c\n-index 7cee5d75c..2b7922393 100644\n---- a/grub-core/kern/misc.c\n-+++ b/grub-core/kern/misc.c\n-@@ -830,7 +830,7 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args,\n- while ((c = *fmt++) != 0)\n- {\n- int longfmt = 0;\n-- grub_size_t curn;\n-+ unsigned long curn;\n- const char *p;\n- \n- if (c != '%')\n-@@ -848,7 +848,10 @@ parse_printf_arg_fmt (const char *fmt0, struct printf_args *args,\n- \n- if (*fmt == '$')\n- \t{\n--\t curn = grub_strtoull (p, 0, 10) - 1;\n-+\t curn = grub_strtoul (p, 0, 10);\n-+\t if (curn == 0)\n-+\t continue;\n-+\t curn--;\n- \t fmt++;\n- \t}\n- \n-@@ -1034,6 +1037,8 @@ grub_vsnprintf_real (char *str, grub_size_t max_len, const char *fmt0,\n- \n- if (*fmt == '$')\n- \t{\n-+\t if (format1 == 0)\n-+\t continue;\n- \t curn = format1 - 1;\n- \t fmt++;\n- \t format1 = 0;\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0067-loader-i386-linux-Cast-left-shift-to-grub_uint32_t.patch b/boot/grub2/0067-loader-i386-linux-Cast-left-shift-to-grub_uint32_t.patch\ndeleted file mode 100644\nindex 7cdef992be..0000000000\n--- a/boot/grub2/0067-loader-i386-linux-Cast-left-shift-to-grub_uint32_t.patch\n+++ /dev/null\n@@ -1,35 +0,0 @@\n-From 3668d0c12b0604d08cf290529797c348a59483ea Mon Sep 17 00:00:00 2001\n-From: Alec Brown <alec.r.brown@oracle.com>\n-Date: Fri, 7 Feb 2025 01:47:57 +0000\n-Subject: [PATCH] loader/i386/linux: Cast left shift to grub_uint32_t\n-\n-The Coverity complains that we might overflow into a negative value when\n-setting linux_params.kernel_alignment to (1 << align). We can remedy\n-this by casting it to grub_uint32_t.\n-\n-Fixes: CID 473876\n-\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 490a6ab71cebd96fae7a1ceb9067484f5ccbec2a\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/loader/i386/linux.c | 2 +-\n- 1 file changed, 1 insertion(+), 1 deletion(-)\n-\n-diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c\n-index 977757f2c..b051600c8 100644\n---- a/grub-core/loader/i386/linux.c\n-+++ b/grub-core/loader/i386/linux.c\n-@@ -806,7 +806,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),\n- }\n- \n- linux_params.code32_start = prot_mode_target + lh.code32_start - GRUB_LINUX_BZIMAGE_ADDR;\n-- linux_params.kernel_alignment = (1 << align);\n-+ linux_params.kernel_alignment = ((grub_uint32_t) 1 << align);\n- linux_params.ps_mouse = linux_params.padding11 = 0;\n- linux_params.type_of_loader = GRUB_LINUX_BOOT_LOADER_TYPE;\n- \n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0068-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch b/boot/grub2/0068-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch\ndeleted file mode 100644\nindex e9a7acc084..0000000000\n--- a/boot/grub2/0068-loader-i386-bsd-Use-safe-math-to-avoid-underflow.patch\n+++ /dev/null\n@@ -1,61 +0,0 @@\n-From 02a0365799f5ca3d70c4e28b5d11ade56c4c1652 Mon Sep 17 00:00:00 2001\n-From: Alec Brown <alec.r.brown@oracle.com>\n-Date: Wed, 5 Feb 2025 22:04:08 +0000\n-Subject: [PATCH] loader/i386/bsd: Use safe math to avoid underflow\n-\n-The operation kern_end - kern_start may underflow when we input it into\n-grub_relocator_alloc_chunk_addr() call. To avoid this we can use safe\n-math for this subtraction.\n-\n-Fixes: CID 73845\n-\n-Signed-off-by: Alec Brown <alec.r.brown@oracle.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 4dc6166571645780c459dde2cdc1b001a5ec844c\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/loader/i386/bsd.c | 14 ++++++++++----\n- 1 file changed, 10 insertions(+), 4 deletions(-)\n-\n-diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c\n-index 1f9128f6f..578433402 100644\n---- a/grub-core/loader/i386/bsd.c\n-+++ b/grub-core/loader/i386/bsd.c\n-@@ -1340,6 +1340,7 @@ static grub_err_t\n- grub_bsd_load_elf (grub_elf_t elf, const char *filename)\n- {\n- grub_err_t err;\n-+ grub_size_t sz;\n- \n- kern_end = 0;\n- kern_start = ~0;\n-@@ -1370,8 +1371,11 @@ grub_bsd_load_elf (grub_elf_t elf, const char *filename)\n- \n- if (grub_errno)\n- \treturn grub_errno;\n-- err = grub_relocator_alloc_chunk_addr (relocator, &ch,\n--\t\t\t\t\t kern_start, kern_end - kern_start);\n-+\n-+ if (grub_sub (kern_end, kern_start, &sz))\n-+\treturn grub_error (GRUB_ERR_OUT_OF_RANGE, \"underflow detected while determining size of kernel for relocator\");\n-+\n-+ err = grub_relocator_alloc_chunk_addr (relocator, &ch, kern_start, sz);\n- if (err)\n- \treturn err;\n- \n-@@ -1431,8 +1435,10 @@ grub_bsd_load_elf (grub_elf_t elf, const char *filename)\n- {\n- \tgrub_relocator_chunk_t ch;\n- \n--\terr = grub_relocator_alloc_chunk_addr (relocator, &ch, kern_start,\n--\t\t\t\t\t kern_end - kern_start);\n-+\tif (grub_sub (kern_end, kern_start, &sz))\n-+\t return grub_error (GRUB_ERR_OUT_OF_RANGE, \"underflow detected while determining size of kernel for relocator\");\n-+\n-+\terr = grub_relocator_alloc_chunk_addr (relocator, &ch, kern_start, sz);\n- \tif (err)\n- \t return err;\n- \tkern_chunk_src = get_virtual_current_address (ch);\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0069-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch b/boot/grub2/0069-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch\ndeleted file mode 100644\nindex f39210c0c6..0000000000\n--- a/boot/grub2/0069-fs-ext2-Rework-out-of-bounds-read-for-inline-and-ext.patch\n+++ /dev/null\n@@ -1,69 +0,0 @@\n-From 156ee67f3e76aee99d6e40e5e029f56d681cb80a Mon Sep 17 00:00:00 2001\n-From: Michael Chang <mchang@suse.com>\n-Date: Fri, 21 Feb 2025 09:06:12 +0800\n-Subject: [PATCH] fs/ext2: Rework out-of-bounds read for inline and external\n- extents\n-\n-Previously, the number of extent entries was not properly capped based\n-on the actual available space. This could lead to insufficient reads for\n-external extents, since the computation was based solely on the inline\n-extent layout.\n-\n-In this patch, when processing the extent header, we determine whether\n-the header is stored inline (i.e., at inode->blocks.dir_blocks) or in an\n-external extent block. We then clamp the number of entries accordingly\n-(using max_inline_ext for inline extents and max_external_ext for\n-external extent blocks).\n-\n-This change ensures that only the valid number of extent entries is\n-processed, preventing out-of-bound reads and potential filesystem\n-corruption.\n-\n-Fixes: 7e2f750f0a (fs/ext2: Fix out-of-bounds read for inline extents)\n-\n-Signed-off-by: Michael Chang <mchang@suse.com>\n-Upstream: 348cd416a3574348f4255bf2b04ec95938990997\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/ext2.c | 17 +++++++++++++++--\n- 1 file changed, 15 insertions(+), 2 deletions(-)\n-\n-diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c\n-index c3058f7e7..a38c86c4f 100644\n---- a/grub-core/fs/ext2.c\n-+++ b/grub-core/fs/ext2.c\n-@@ -496,7 +496,10 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)\n- int i;\n- grub_disk_addr_t ret;\n- grub_uint16_t nent;\n-+ /* maximum number of extent entries in the inode's inline extent area */\n- const grub_uint16_t max_inline_ext = sizeof (inode->blocks) / sizeof (*ext) - 1; /* Minus 1 extent header. */\n-+ /* maximum number of extent entries in the external extent block */\n-+ const grub_uint16_t max_external_ext = EXT2_BLOCK_SIZE(data) / sizeof (*ext) - 1; /* Minus 1 extent header. */\n- \n- if (grub_ext4_find_leaf (data, (struct grub_ext4_extent_header *) inode->blocks.dir_blocks,\n- \t\t\t fileblock, &leaf) != GRUB_ERR_NONE)\n-@@ -513,8 +516,18 @@ grub_ext2_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)\n- \n- nent = grub_le_to_cpu16 (leaf->entries);\n- \n-- if (leaf->depth == 0)\n--\tnent = grub_min (nent, max_inline_ext);\n-+ /*\n-+ * Determine the effective number of extent entries (nent) to process:\n-+ * If the extent header (leaf) is stored inline in the inode's block\n-+ * area (i.e. at inode->blocks.dir_blocks), then only max_inline_ext\n-+ * entries can fit.\n-+ * Otherwise, if the header was read from an external extent block, use\n-+ * the larger limit, max_external_ext, based on the full block size.\n-+ */\n-+ if (leaf == (struct grub_ext4_extent_header *) inode->blocks.dir_blocks)\n-+ nent = grub_min (nent, max_inline_ext);\n-+ else\n-+ nent = grub_min (nent, max_external_ext);\n- \n- for (i = 0; i < nent; i++)\n- {\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0070-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch b/boot/grub2/0070-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch\ndeleted file mode 100644\nindex 3a5769e6cc..0000000000\n--- a/boot/grub2/0070-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch\n+++ /dev/null\n@@ -1,53 +0,0 @@\n-From f5234334c2c5958a55c2bdfbcaf63b6814d31d5f Mon Sep 17 00:00:00 2001\n-From: Egor Ignatov <egori@altlinux.org>\n-Date: Thu, 23 Jan 2025 20:44:14 +0300\n-Subject: [PATCH] fs/xfs: Fix grub_xfs_iterate_dir return value in case of\n- failure\n-\n-Commit ef7850c757 introduced multiple boundary checks in grub_xfs_iterate_dir()\n-but handled the error incorrectly returning error code instead of 0.\n-\n-Also change the error message so that it doesn't match the message\n-in grub_xfs_read_inode().\n-\n-Fixes: ef7850c757 (fs/xfs: Fix issues found while fuzzing the XFS filesystem)\n-\n-Signed-off-by: Egor Ignatov <egori@altlinux.org>\n-Upstream: f209887381a56dea79152ab26ffb485718e3218e\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/xfs.c | 11 +++++++++--\n- 1 file changed, 9 insertions(+), 2 deletions(-)\n-\n-diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c\n-index 70c9f449b..e0daeb45f 100644\n---- a/grub-core/fs/xfs.c\n-+++ b/grub-core/fs/xfs.c\n-@@ -870,7 +870,11 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,\n- \t grub_uint8_t c;\n- \n- \t if ((inopos + (smallino ? 4 : 8)) > (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data))\n--\t return grub_error (GRUB_ERR_BAD_FS, \"not a correct XFS inode\");\n-+\t {\n-+\t\tgrub_error (GRUB_ERR_BAD_FS, \"invalid XFS inode\");\n-+\t\treturn 0;\n-+\t }\n-+\n- \n- \t /* inopos might be unaligned. */\n- \t if (smallino)\n-@@ -979,7 +983,10 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,\n- \n- \t\tfilename = (char *)(direntry + 1);\n- \t\tif (filename + direntry->len + 1 > (char *) end)\n--\t\t return grub_error (GRUB_ERR_BAD_FS, \"invalid XFS directory entry\");\n-+\t\t {\n-+\t\t grub_error (GRUB_ERR_BAD_FS, \"invalid XFS directory entry\");\n-+\t\t return 0;\n-+\t\t }\n- \n- \t\t/* The byte after the filename is for the filetype, padding, or\n- \t\t tag, which is not used by GRUB. So it can be overwritten. */\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0071-fs-xfs-Propagate-incorrect-inode-error-from-grub_xfs.patch b/boot/grub2/0071-fs-xfs-Propagate-incorrect-inode-error-from-grub_xfs.patch\ndeleted file mode 100644\nindex 05e31957c5..0000000000\n--- a/boot/grub2/0071-fs-xfs-Propagate-incorrect-inode-error-from-grub_xfs.patch\n+++ /dev/null\n@@ -1,77 +0,0 @@\n-From 6becb747027c4f9cdb10f23d6eb24fcc238e8b68 Mon Sep 17 00:00:00 2001\n-From: Egor Ignatov <egori@altlinux.org>\n-Date: Thu, 23 Jan 2025 20:44:15 +0300\n-Subject: [PATCH] fs/xfs: Propagate incorrect inode error from\n- grub_xfs_read_inode\n-\n-The incorrect inode error from grub_xfs_read_inode did not propagate because\n-grub_print_error() resetted grub_errno, and grub_xfs_iterate_dir() did not\n-handle it at all.\n-\n-Signed-off-by: Egor Ignatov <egori@altlinux.org>\n-Upstream: https://www.mail-archive.com/grub-devel@gnu.org/msg40098.html\n-[Not accepted upstream, but in Debian]\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/xfs.c | 14 ++++++++++++--\n- 1 file changed, 12 insertions(+), 2 deletions(-)\n-\n-diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c\n-index e0daeb45f..28a342996 100644\n---- a/grub-core/fs/xfs.c\n-+++ b/grub-core/fs/xfs.c\n-@@ -806,7 +806,6 @@ static int iterate_dir_call_hook (grub_uint64_t ino, const char *filename,\n- fdiro = grub_malloc (sz);\n- if (!fdiro)\n- {\n-- grub_print_error ();\n- return 0;\n- }\n- \n-@@ -818,7 +817,6 @@ static int iterate_dir_call_hook (grub_uint64_t ino, const char *filename,\n- err = grub_xfs_read_inode (ctx->diro->data, ino, &fdiro->inode);\n- if (err)\n- {\n-- grub_print_error ();\n- grub_free (fdiro);\n- return 0;\n- }\n-@@ -858,9 +856,13 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,\n- \t/* Synthesize the direntries for `.' and `..'. */\n- \tif (iterate_dir_call_hook (diro->ino, \".\", &ctx))\n- \t return 1;\n-+\telse if (grub_errno)\n-+\t return 0;\n- \n- \tif (iterate_dir_call_hook (parent, \"..\", &ctx))\n- \t return 1;\n-+\telse if (grub_errno)\n-+\t return 0;\n- \n- \tfor (i = 0; i < head->count &&\n- \t (grub_uint8_t *) de < ((grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data)); i++)\n-@@ -901,6 +903,9 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,\n- \t }\n- \t de->name[de->len] = c;\n- \n-+\t if (grub_errno)\n-+\t return 0;\n-+\n- \t de = grub_xfs_inline_next_de(dir->data, head, de);\n- \t }\n- \tbreak;\n-@@ -998,6 +1003,11 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,\n- \t\t grub_free (dirblock);\n- \t\t return 1;\n- \t\t }\n-+\t\telse if (grub_errno)\n-+\t\t {\n-+\t\t grub_free (dirblock);\n-+\t\t return 0;\n-+\t\t }\n- \n- \t\t/*\n- \t\t * The expected number of directory entries is only tracked for the\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0072-fs-xfs-Handle-root-inode-read-failure-in-grub_xfs_mo.patch b/boot/grub2/0072-fs-xfs-Handle-root-inode-read-failure-in-grub_xfs_mo.patch\ndeleted file mode 100644\nindex 2d5887dfca..0000000000\n--- a/boot/grub2/0072-fs-xfs-Handle-root-inode-read-failure-in-grub_xfs_mo.patch\n+++ /dev/null\n@@ -1,29 +0,0 @@\n-From 462f1d1a64e57310d10dcd325b36587a1a367d0a Mon Sep 17 00:00:00 2001\n-From: Egor Ignatov <egori@altlinux.org>\n-Date: Thu, 23 Jan 2025 20:44:13 +0300\n-Subject: [PATCH] fs/xfs: Handle root inode read failure in grub_xfs_mount\n-\n-Signed-off-by: Egor Ignatov <egori@altlinux.org>\n-Upstream: https://www.mail-archive.com/grub-devel@gnu.org/msg40099.html\n-[Not accepted upstream, but in Debian]\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/fs/xfs.c | 2 ++\n- 1 file changed, 2 insertions(+)\n-\n-diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c\n-index 28a342996..59bdee5f9 100644\n---- a/grub-core/fs/xfs.c\n-+++ b/grub-core/fs/xfs.c\n-@@ -1086,6 +1086,8 @@ grub_xfs_mount (grub_disk_t disk)\n- \t grub_cpu_to_be64(data->sblock.rootino));\n- \n- grub_xfs_read_inode (data, data->diropen.ino, &data->diropen.inode);\n-+ if (grub_errno)\n-+ goto fail;\n- \n- return data;\n- fail:\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0073-net-drivers-ieee1275-ofnet-Add-missing-grub_malloc.patch b/boot/grub2/0073-net-drivers-ieee1275-ofnet-Add-missing-grub_malloc.patch\ndeleted file mode 100644\nindex 97bad8c635..0000000000\n--- a/boot/grub2/0073-net-drivers-ieee1275-ofnet-Add-missing-grub_malloc.patch\n+++ /dev/null\n@@ -1,36 +0,0 @@\n-From 516af0a5bd172123d4c7ff281d65b1f4b0035258 Mon Sep 17 00:00:00 2001\n-From: Nicolas Frayer <nfrayer@redhat.com>\n-Date: Wed, 19 Mar 2025 17:39:41 +0100\n-Subject: [PATCH] net/drivers/ieee1275/ofnet: Add missing grub_malloc()\n-\n-The grub_malloc() has been inadvertently removed from the code after it\n-has been modified to use safe math functions.\n-\n-Fixes: 4beeff8a (net: Use safe math macros to prevent overflows)\n-\n-Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>\n-Tested-by: Marta Lewandowska <mlewando@redhat.com>\n-Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>\n-Upstream: 3b25e494d47e7a728e7ce6264b10f2aa1063f9c7\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/net/drivers/ieee1275/ofnet.c | 3 +++\n- 1 file changed, 3 insertions(+)\n-\n-diff --git a/grub-core/net/drivers/ieee1275/ofnet.c b/grub-core/net/drivers/ieee1275/ofnet.c\n-index c35b107ad..3004b970e 100644\n---- a/grub-core/net/drivers/ieee1275/ofnet.c\n-+++ b/grub-core/net/drivers/ieee1275/ofnet.c\n-@@ -467,6 +467,9 @@ search_net_devices (struct grub_ieee1275_devalias *alias)\n- \t return 0;\n- \t}\n- }\n-+\n-+ ofdata->path = grub_malloc (sz);\n-+\n- if (!ofdata->path)\n- {\n- grub_print_error ();\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/0074-Constant-time-grub_crypto_memcmp.patch b/boot/grub2/0074-Constant-time-grub_crypto_memcmp.patch\ndeleted file mode 100644\nindex e7d89e02e7..0000000000\n--- a/boot/grub2/0074-Constant-time-grub_crypto_memcmp.patch\n+++ /dev/null\n@@ -1,64 +0,0 @@\n-From 4bbd6ae38efc7c0ae9ffd343157b7f3f37bd729c Mon Sep 17 00:00:00 2001\n-From: Gary Lin <glin@suse.com>\n-Date: Fri, 25 Jul 2025 13:50:23 +0800\n-Subject: [PATCH] Constant-time grub_crypto_memcmp()\n-\n-Use the constant-time algorithm to compare the given memory blocks.\n-The code is extracted from the upstream commit:\n-0739d24cd1648531d0708d1079ff6bbfa6140268\n-\n-Fix: bsc#1234959\n-\n-CVE: CVE-2024-56738\n-Signed-off-by: Gary Lin <glin@suse.com>\n-Upstream: not submitted upstream, as upstream has switched to gcrypt\n-Taken-from: https://build.opensuse.org/projects/SUSE:SLE-15-SP5:Update/packages/grub2.39923/files/grub2-constant-time-grub_crypto_memcmp.patch?expand=0\n-Fixes: https://www.cve.org/CVERecord?id=CVE-2024-56738\n-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>\n----\n- grub-core/lib/crypto.c | 23 ++++++++++++++++-------\n- 1 file changed, 16 insertions(+), 7 deletions(-)\n-\n-diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c\n-index 396f76410..19db7870a 100644\n---- a/grub-core/lib/crypto.c\n-+++ b/grub-core/lib/crypto.c\n-@@ -433,19 +433,28 @@ grub_crypto_gcry_error (gcry_err_code_t in)\n- return GRUB_ACCESS_DENIED;\n- }\n- \n-+/*\n-+ * Compare byte arrays of length LEN, return 1 if it's not same,\n-+ * 0, otherwise.\n-+ */\n- int\n--grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)\n-+grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len)\n- {\n-- register grub_size_t counter = 0;\n-- const grub_uint8_t *pa, *pb;\n-+ const grub_uint8_t *a = b1;\n-+ const grub_uint8_t *b = b2;\n-+ int ab, ba;\n-+ grub_size_t i;\n- \n-- for (pa = a, pb = b; n; pa++, pb++, n--)\n-+ /* Constant-time compare. */\n-+ for (i = 0, ab = 0, ba = 0; i < len; i++)\n- {\n-- if (*pa != *pb)\n--\tcounter++;\n-+ /* If a[i] != b[i], either ab or ba will be negative. */\n-+ ab |= a[i] - b[i];\n-+ ba |= b[i] - a[i];\n- }\n- \n-- return !!counter;\n-+ /* 'ab | ba' is negative when buffers are not equal, extract sign bit. */\n-+ return ((unsigned int)(ab | ba) >> (sizeof(unsigned int) * 8 - 1)) & 1;\n- }\n- \n- #ifndef GRUB_UTIL\n--- \n-2.50.1\n-\ndiff --git a/boot/grub2/grub2.hash b/boot/grub2/grub2.hash\nindex 65a8ec8e4f..5b5ac28eda 100644\n--- a/boot/grub2/grub2.hash\n+++ b/boot/grub2/grub2.hash\n@@ -1,5 +1,5 @@\n # Locally calculated after checking signature\n-# https://ftp.gnu.org/gnu/grub/grub-2.12.tar.xz.sig\n-sha256 f3c97391f7c4eaa677a78e090c7e97e6dc47b16f655f04683ebd37bef7fe0faa grub-2.12.tar.xz\n+# https://ftp.gnu.org/gnu/grub/grub-2.14.tar.xz.sig\n+sha256 bc8d3c73535b8838d8c8e2654d73edc4e6ae8c8acdb45d5df5dc9a1547446d43 grub-2.14.tar.xz\n # Locally computed:\n sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING\ndiff --git a/boot/grub2/grub2.mk b/boot/grub2/grub2.mk\nindex fdf274d9aa..b3614a7da6 100644\n--- a/boot/grub2/grub2.mk\n+++ b/boot/grub2/grub2.mk\n@@ -4,7 +4,7 @@\n #\n ################################################################################\n \n-GRUB2_VERSION = 2.12\n+GRUB2_VERSION = 2.14\n GRUB2_SITE = $(BR2_GNU_MIRROR)/grub\n GRUB2_SOURCE = grub-$(GRUB2_VERSION).tar.xz\n GRUB2_LICENSE = GPL-3.0+\n@@ -15,37 +15,6 @@ HOST_GRUB2_DEPENDENCIES = host-bison host-flex host-gawk \\\n \t$(BR2_PYTHON3_HOST_DEPENDENCY)\n GRUB2_INSTALL_IMAGES = YES\n \n-# 0004-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch (yes, two\n-# CVEs are fixed by this patch)\n-GRUB2_IGNORE_CVES += CVE-2024-45782\n-GRUB2_IGNORE_CVES += CVE-2024-56737\n-\n-# 0006-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch\n-GRUB2_IGNORE_CVES += CVE-2024-45780\n-\n-# 0037-gettext-Integer-overflow-leads-to-heap-OOB-write.patch\n-GRUB2_IGNORE_CVES += CVE-2024-45777\n-\n-# 0043-fs-bfs-Disable-under-lockdown.patch (yes, two CVEs are fixed by\n-# this patch)\n-GRUB2_IGNORE_CVES += CVE-2024-45778\n-GRUB2_IGNORE_CVES += CVE-2024-45779\n-\n-# 0044-fs-Disable-many-filesystems-under-lockdown.patch (yes, four\n-# CVEs are fixed by this patch)\n-GRUB2_IGNORE_CVES += CVE-2025-0684\n-GRUB2_IGNORE_CVES += CVE-2025-0685\n-GRUB2_IGNORE_CVES += CVE-2025-0686\n-GRUB2_IGNORE_CVES += CVE-2025-0689\n-\n-# 0050-fs-Prevent-overflows-when-allocating-memory-for-arra.patch\n-# (yes, two CVEs are fixed by this patch)\n-GRUB2_IGNORE_CVES += CVE-2025-0678\n-GRUB2_IGNORE_CVES += CVE-2025-1125\n-\n-# 0074-Constant-time-grub_crypto_memcmp.patch\n-GRUB2_IGNORE_CVES += CVE-2024-56738\n-\n ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y)\n GRUB2_INSTALL_TARGET = YES\n else\n", "prefixes": [ "2/2" ] }