summaryrefslogtreecommitdiffstats
path: root/meta/recipes-bsp/grub/files
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-bsp/grub/files')
-rw-r--r--meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch39
-rw-r--r--meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch39
-rw-r--r--meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch33
-rw-r--r--meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch50
-rw-r--r--meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch235
-rw-r--r--meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch30
-rw-r--r--meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch65
-rw-r--r--meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch59
-rw-r--r--meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch53
-rw-r--r--meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch52
-rw-r--r--meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch53
-rw-r--r--meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch55
-rw-r--r--meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch41
-rw-r--r--meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch34
-rw-r--r--meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch43
-rw-r--r--meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch128
-rw-r--r--meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch28
-rw-r--r--meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch50
-rw-r--r--meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch50
-rw-r--r--meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch43
-rw-r--r--meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch42
-rw-r--r--meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch121
-rw-r--r--meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch56
-rw-r--r--meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch35
-rw-r--r--meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch82
-rw-r--r--meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch36
-rw-r--r--meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch33
-rw-r--r--meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch43
-rw-r--r--meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch52
-rw-r--r--meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch56
-rw-r--r--meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch94
-rw-r--r--meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch78
-rw-r--r--meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch104
-rw-r--r--meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch39
-rw-r--r--meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch38
-rw-r--r--meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch34
-rw-r--r--meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch47
-rw-r--r--meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch38
-rw-r--r--meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch77
-rw-r--r--meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch42
-rw-r--r--meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch41
-rw-r--r--meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch46
-rw-r--r--meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch50
-rw-r--r--meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch28
-rw-r--r--meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch33
-rw-r--r--meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch37
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-10713.patch73
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch1863
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch1330
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372.patch76
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch130
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch431
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch57
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch52
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch158
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch117
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch177
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-25632.patch90
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-25647.patch119
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27749.patch609
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779.patch70
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch105
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch37
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch35
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch62
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch61
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch65
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-20225.patch58
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-20233.patch50
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3695.patch178
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3696.patch46
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3697.patch82
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2021-3981.patch32
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-2601.patch87
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28733.patch60
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28734.patch67
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28735.patch271
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-28736.patch275
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2022-3775.patch97
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2023-4692.patch97
-rw-r--r--meta/recipes-bsp/grub/files/CVE-2023-4693.patch62
-rw-r--r--meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch246
-rw-r--r--meta/recipes-bsp/grub/files/determinism.patch56
-rw-r--r--meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch117
-rw-r--r--meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch287
-rw-r--r--meta/recipes-bsp/grub/files/no-insmod-on-sb.patch107
-rw-r--r--meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch94
-rw-r--r--meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch37
88 files changed, 10685 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch b/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch
new file mode 100644
index 0000000000..eaaa7effae
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-mmap-Fix-memory-leak-when-iterating-over-mapped-memo.patch
@@ -0,0 +1,39 @@
+From 0900f11def2e7fbb4880efff0cd9c9b32f1cdb86 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 3 Dec 2020 14:39:45 +0000
+Subject: [PATCH] mmap: Fix memory leak when iterating over mapped memory
+
+When returning from grub_mmap_iterate() the memory allocated to present
+is not being released causing it to leak.
+
+Fixes: CID 96655
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8cb2848f9699642a698af84b12ba187cab722031]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/mmap/mmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 7ebf32e..8bf235f 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -270,6 +270,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
+ hook_data))
+ {
+ grub_free (ctx.scanline_events);
++ grub_free (present);
+ return GRUB_ERR_NONE;
+ }
+
+@@ -282,6 +283,7 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
+ }
+
+ grub_free (ctx.scanline_events);
++ grub_free (present);
+ return GRUB_ERR_NONE;
+ }
+
diff --git a/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch b/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch
new file mode 100644
index 0000000000..d00821f5c3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0002-net-net-Fix-possible-dereference-to-of-a-NULL-pointe.patch
@@ -0,0 +1,39 @@
+From f216a75e884ed5e4e94bf86965000dde51148f94 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 27 Nov 2020 15:10:26 +0000
+Subject: [PATCH] net/net: Fix possible dereference to of a NULL pointer
+
+It is always possible that grub_zalloc() could fail, so we should check for
+a NULL return. Otherwise we run the risk of dereferencing a NULL pointer.
+
+Fixes: CID 296221
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=03f2515ae0c503406f1a99a2178405049c6555db]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/net/net.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 38f19df..7c2cdf2 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -86,8 +86,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card,
+
+ /* Add sender to cache table. */
+ if (card->link_layer_table == NULL)
+- card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
+- * sizeof (card->link_layer_table[0]));
++ {
++ card->link_layer_table = grub_zalloc (LINK_LAYER_CACHE_SIZE
++ * sizeof (card->link_layer_table[0]));
++ if (card->link_layer_table == NULL)
++ return;
++ }
++
+ entry = &(card->link_layer_table[card->new_ll_entry]);
+ entry->avail = 1;
+ grub_memcpy (&entry->ll_address, ll, sizeof (entry->ll_address));
diff --git a/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch b/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch
new file mode 100644
index 0000000000..3b4633507d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0003-net-tftp-Fix-dangling-memory-pointer.patch
@@ -0,0 +1,33 @@
+From 09cc0df477758b60f51fbc0da1dee2f5d54c333d Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 19 Feb 2021 17:12:23 +0000
+Subject: [PATCH] net/tftp: Fix dangling memory pointer
+
+The static code analysis tool, Parfait, reported that the valid of
+file->data was left referencing memory that was freed by the call to
+grub_free(data) where data was initialized from file->data.
+
+To ensure that there is no unintentional access to this memory
+referenced by file->data we should set the pointer to NULL.
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0cb838b281a68b536a09681f9557ea6a7ac5da7a]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/net/tftp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index 7d90bf6..f76b19f 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -468,6 +468,7 @@ tftp_close (struct grub_file *file)
+ }
+ destroy_pq (data);
+ grub_free (data);
++ file->data = NULL;
+ return GRUB_ERR_NONE;
+ }
+
diff --git a/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch b/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch
new file mode 100644
index 0000000000..933416605c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0004-kern-parser-Fix-resource-leak-if-argc-0.patch
@@ -0,0 +1,50 @@
+From 8861fa6226f7229105722ba669465e879b56ee2b Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 22 Jan 2021 12:32:41 +0000
+Subject: [PATCH] kern/parser: Fix resource leak if argc == 0
+
+After processing the command-line yet arriving at the point where we are
+setting argv, we are allocating memory, even if argc == 0, which makes
+no sense since we never put anything into the allocated argv.
+
+The solution is to simply return that we've successfully processed the
+arguments but that argc == 0, and also ensure that argv is NULL when
+we're not allocating anything in it.
+
+There are only 2 callers of this function, and both are handling a zero
+value in argc assuming nothing is allocated in argv.
+
+Fixes: CID 96680
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d06161b035dde4769199ad65aa0a587a5920012b]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/parser.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index 619db31..d1cf061 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -146,6 +146,7 @@ grub_parser_split_cmdline (const char *cmdline,
+ int i;
+
+ *argc = 0;
++ *argv = NULL;
+ do
+ {
+ if (!rd || !*rd)
+@@ -207,6 +208,10 @@ grub_parser_split_cmdline (const char *cmdline,
+ (*argc)++;
+ }
+
++ /* If there are no args, then we're done. */
++ if (!*argc)
++ return 0;
++
+ /* Reserve memory for the return values. */
+ args = grub_malloc (bp - buffer);
+ if (!args)
diff --git a/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch b/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
new file mode 100644
index 0000000000..04748befc8
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0005-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
@@ -0,0 +1,235 @@
+From 16a4d739b19f8680cf93a3c8fa0ae9fc1b1c310b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Sun, 19 Jul 2020 16:53:27 -0400
+Subject: [PATCH] efi: Fix some malformed device path arithmetic errors
+
+Several places we take the length of a device path and subtract 4 from
+it, without ever checking that it's >= 4. There are also cases where
+this kind of malformation will result in unpredictable iteration,
+including treating the length from one dp node as the type in the next
+node. These are all errors, no matter where the data comes from.
+
+This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which
+can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH()
+return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when
+the length is too small. Additionally, it makes several places in the
+code check for and return errors in these cases.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d2cf823d0e31818d1b7a223daff6d5e006596543]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/efi/efi.c | 64 +++++++++++++++++++++++++-----
+ grub-core/loader/efi/chainloader.c | 13 +++++-
+ grub-core/loader/i386/xnu.c | 9 +++--
+ include/grub/efi/api.h | 14 ++++---
+ 4 files changed, 79 insertions(+), 21 deletions(-)
+
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index ad170c7..6a38080 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -360,7 +360,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+
+ dp = dp0;
+
+- while (1)
++ while (dp)
+ {
+ grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+ grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+@@ -370,9 +370,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ if (type == GRUB_EFI_MEDIA_DEVICE_PATH_TYPE
+ && subtype == GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE)
+ {
+- grub_efi_uint16_t len;
+- len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4)
+- / sizeof (grub_efi_char16_t));
++ grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++
++ if (len < 4)
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE,
++ "malformed EFI Device Path node has length=%d", len);
++ return NULL;
++ }
++ len = (len - 4) / sizeof (grub_efi_char16_t);
+ filesize += GRUB_MAX_UTF8_PER_UTF16 * len + 2;
+ }
+
+@@ -388,7 +394,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ if (!name)
+ return NULL;
+
+- while (1)
++ while (dp)
+ {
+ grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+ grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+@@ -404,8 +410,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+
+ *p++ = '/';
+
+- len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4)
+- / sizeof (grub_efi_char16_t));
++ len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++ if (len < 4)
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE,
++ "malformed EFI Device Path node has length=%d", len);
++ return NULL;
++ }
++
++ len = (len - 4) / sizeof (grub_efi_char16_t);
+ fp = (grub_efi_file_path_device_path_t *) dp;
+ /* According to EFI spec Path Name is NULL terminated */
+ while (len > 0 && fp->path_name[len - 1] == 0)
+@@ -480,7 +493,26 @@ grub_efi_duplicate_device_path (const grub_efi_device_path_t *dp)
+ ;
+ p = GRUB_EFI_NEXT_DEVICE_PATH (p))
+ {
+- total_size += GRUB_EFI_DEVICE_PATH_LENGTH (p);
++ grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (p);
++
++ /*
++ * In the event that we find a node that's completely garbage, for
++ * example if we get to 0x7f 0x01 0x02 0x00 ... (EndInstance with a size
++ * of 2), GRUB_EFI_END_ENTIRE_DEVICE_PATH() will be true and
++ * GRUB_EFI_NEXT_DEVICE_PATH() will return NULL, so we won't continue,
++ * and neither should our consumers, but there won't be any error raised
++ * even though the device path is junk.
++ *
++ * This keeps us from passing junk down back to our caller.
++ */
++ if (len < 4)
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE,
++ "malformed EFI Device Path node has length=%d", len);
++ return NULL;
++ }
++
++ total_size += len;
+ if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (p))
+ break;
+ }
+@@ -525,7 +557,7 @@ dump_vendor_path (const char *type, grub_efi_vendor_device_path_t *vendor)
+ void
+ grub_efi_print_device_path (grub_efi_device_path_t *dp)
+ {
+- while (1)
++ while (GRUB_EFI_DEVICE_PATH_VALID (dp))
+ {
+ grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+ grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+@@ -937,7 +969,10 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1,
+ /* Return non-zero. */
+ return 1;
+
+- while (1)
++ if (dp1 == dp2)
++ return 0;
++
++ while (GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2))
+ {
+ grub_efi_uint8_t type1, type2;
+ grub_efi_uint8_t subtype1, subtype2;
+@@ -973,5 +1008,14 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1,
+ dp2 = (grub_efi_device_path_t *) ((char *) dp2 + len2);
+ }
+
++ /*
++ * There's no "right" answer here, but we probably don't want to call a valid
++ * dp and an invalid dp equal, so pick one way or the other.
++ */
++ if (GRUB_EFI_DEVICE_PATH_VALID (dp1) && !GRUB_EFI_DEVICE_PATH_VALID (dp2))
++ return 1;
++ else if (!GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2))
++ return -1;
++
+ return 0;
+ }
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index daf8c6b..a8d7b91 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -156,9 +156,18 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
+
+ size = 0;
+ d = dp;
+- while (1)
++ while (d)
+ {
+- size += GRUB_EFI_DEVICE_PATH_LENGTH (d);
++ grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (d);
++
++ if (len < 4)
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE,
++ "malformed EFI Device Path node has length=%d", len);
++ return NULL;
++ }
++
++ size += len;
+ if ((GRUB_EFI_END_ENTIRE_DEVICE_PATH (d)))
+ break;
+ d = GRUB_EFI_NEXT_DEVICE_PATH (d);
+diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
+index b7d176b..c50cb54 100644
+--- a/grub-core/loader/i386/xnu.c
++++ b/grub-core/loader/i386/xnu.c
+@@ -516,14 +516,15 @@ grub_cmd_devprop_load (grub_command_t cmd __attribute__ ((unused)),
+
+ devhead = buf;
+ buf = devhead + 1;
+- dpstart = buf;
++ dp = dpstart = buf;
+
+- do
++ while (GRUB_EFI_DEVICE_PATH_VALID (dp) && buf < bufend)
+ {
+- dp = buf;
+ buf = (char *) buf + GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++ if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
++ break;
++ dp = buf;
+ }
+- while (!GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp) && buf < bufend);
+
+ dev = grub_xnu_devprop_add_device (dpstart, (char *) buf
+ - (char *) dpstart);
+diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
+index addcbfa..cf1355a 100644
+--- a/include/grub/efi/api.h
++++ b/include/grub/efi/api.h
+@@ -625,6 +625,7 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t;
+ #define GRUB_EFI_DEVICE_PATH_TYPE(dp) ((dp)->type & 0x7f)
+ #define GRUB_EFI_DEVICE_PATH_SUBTYPE(dp) ((dp)->subtype)
+ #define GRUB_EFI_DEVICE_PATH_LENGTH(dp) ((dp)->length)
++#define GRUB_EFI_DEVICE_PATH_VALID(dp) ((dp) != NULL && GRUB_EFI_DEVICE_PATH_LENGTH (dp) >= 4)
+
+ /* The End of Device Path nodes. */
+ #define GRUB_EFI_END_DEVICE_PATH_TYPE (0xff & 0x7f)
+@@ -633,13 +634,16 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t;
+ #define GRUB_EFI_END_THIS_DEVICE_PATH_SUBTYPE 0x01
+
+ #define GRUB_EFI_END_ENTIRE_DEVICE_PATH(dp) \
+- (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \
+- && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \
+- == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE))
++ (!GRUB_EFI_DEVICE_PATH_VALID (dp) || \
++ (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \
++ && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \
++ == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE)))
+
+ #define GRUB_EFI_NEXT_DEVICE_PATH(dp) \
+- ((grub_efi_device_path_t *) ((char *) (dp) \
+- + GRUB_EFI_DEVICE_PATH_LENGTH (dp)))
++ (GRUB_EFI_DEVICE_PATH_VALID (dp) \
++ ? ((grub_efi_device_path_t *) \
++ ((char *) (dp) + GRUB_EFI_DEVICE_PATH_LENGTH (dp))) \
++ : NULL)
+
+ /* Hardware Device Path. */
+ #define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE 1
diff --git a/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch b/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch
new file mode 100644
index 0000000000..9d7327cee6
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0006-kern-efi-Fix-memory-leak-on-failure.patch
@@ -0,0 +1,30 @@
+From d4fd0243920b71cc6e03cc0cadf23b4fe03c352f Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:15:25 +0000
+Subject: [PATCH] kern/efi: Fix memory leak on failure
+
+Free the memory allocated to name before returning on failure.
+
+Fixes: CID 296222
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ed286ceba6015d37a9304f04602451c47bf195d7]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/efi/efi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 6a38080..baeeef0 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -415,6 +415,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE,
+ "malformed EFI Device Path node has length=%d", len);
++ grub_free (name);
+ return NULL;
+ }
+
diff --git a/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
new file mode 100644
index 0000000000..d55709406b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0007-kern-efi-mm-Fix-possible-NULL-pointer-dereference.patch
@@ -0,0 +1,65 @@
+From be03a18b8767be50f16a845c389fd5ed29aae055 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 11 Dec 2020 15:03:13 +0000
+Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference
+
+The model of grub_efi_get_memory_map() is that if memory_map is NULL,
+then the purpose is to discover how much memory should be allocated to
+it for the subsequent call.
+
+The problem here is that with grub_efi_is_finished set to 1, there is no
+check at all that the function is being called with a non-NULL memory_map.
+
+While this MAY be true, we shouldn't assume it.
+
+The solution to this is to behave as expected, and if memory_map is NULL,
+then don't try to use it and allow memory_map_size to be filled in, and
+return 0 as is done later in the code if the buffer is too small (or NULL).
+
+Additionally, drop unneeded ret = 1.
+
+Fixes: CID 96632
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6aee4bfd6973c714056fb7b56890b8d524e94ee1]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/efi/mm.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
+index b02fab1..5afcef7 100644
+--- a/grub-core/kern/efi/mm.c
++++ b/grub-core/kern/efi/mm.c
+@@ -328,15 +328,24 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size,
+ if (grub_efi_is_finished)
+ {
+ int ret = 1;
+- if (*memory_map_size < finish_mmap_size)
++
++ if (memory_map != NULL)
+ {
+- grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
+- ret = 0;
++ if (*memory_map_size < finish_mmap_size)
++ {
++ grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size);
++ ret = 0;
++ }
++ else
++ grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
+ }
+ else
+ {
+- grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size);
+- ret = 1;
++ /*
++ * Incomplete, no buffer to copy into, same as
++ * GRUB_EFI_BUFFER_TOO_SMALL below.
++ */
++ ret = 0;
+ }
+ *memory_map_size = finish_mmap_size;
+ if (map_key)
diff --git a/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch b/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch
new file mode 100644
index 0000000000..74ffb559e9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0008-gnulib-regexec-Resolve-unused-variable.patch
@@ -0,0 +1,59 @@
+From 9d36bce5d516b6379ba3a0dd1a94a9c035838827 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 21 Oct 2020 14:41:27 +0000
+Subject: [PATCH] gnulib/regexec: Resolve unused variable
+
+This is a really minor issue where a variable is being assigned to but
+not checked before it is overwritten again.
+
+The reason for this issue is that we are not building with DEBUG set and
+this in turn means that the assert() that reads the value of the
+variable match_last is being processed out.
+
+The solution, move the assignment to match_last in to an ifdef DEBUG too.
+
+Fixes: CID 292459
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a983d36bd9178d377d2072fd4b11c635fdc404b4]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.extra-dist | 1 +
+ .../lib/gnulib-patches/fix-unused-value.patch | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-unused-value.patch
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 46c4e95..9b01152 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch
+
+diff --git a/grub-core/lib/gnulib-patches/fix-unused-value.patch b/grub-core/lib/gnulib-patches/fix-unused-value.patch
+new file mode 100644
+index 0000000..ba51f1b
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-unused-value.patch
+@@ -0,0 +1,14 @@
++--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000
+++++ b/lib/regexec.c 2020-10-21 14:32:07.961765604 +0000
++@@ -828,7 +828,11 @@
++ break;
++ if (__glibc_unlikely (err != REG_NOMATCH))
++ goto free_return;
+++#ifdef DEBUG
+++ /* Only used for assertion below when DEBUG is set, otherwise
+++ it will be over-written when we loop around. */
++ match_last = -1;
+++#endif
++ }
++ else
++ break; /* We found a match. */
diff --git a/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch b/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch
new file mode 100644
index 0000000000..b6e3c7edbe
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0009-gnulib-regcomp-Fix-uninitialized-token-structure.patch
@@ -0,0 +1,53 @@
+From 2af8df02cca7fd4b584575eac304cd03fa23f5cc Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 22 Oct 2020 13:54:06 +0000
+Subject: [PATCH] gnulib/regcomp: Fix uninitialized token structure
+
+The code is assuming that the value of br_token.constraint was
+initialized to zero when it wasn't.
+
+While some compilers will ensure that, not all do, so it is better to
+fix this explicitly than leave it to chance.
+
+Fixes: CID 73749
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=75c3d3cec4f408848f575d6d5e30a95bd6313db0]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.extra-dist | 1 +
+ .../lib/gnulib-patches/fix-uninit-structure.patch | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 9b01152..9e55458 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/no-abort.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-uninit-structure.patch b/grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+new file mode 100644
+index 0000000..7b4d9f6
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+@@ -0,0 +1,11 @@
++--- a/lib/regcomp.c 2020-10-22 13:49:06.770168928 +0000
+++++ b/lib/regcomp.c 2020-10-22 13:50:37.026528298 +0000
++@@ -3662,7 +3662,7 @@
++ Idx alloc = 0;
++ #endif /* not RE_ENABLE_I18N */
++ reg_errcode_t ret;
++- re_token_t br_token;
+++ re_token_t br_token = {0};
++ bin_tree_t *tree;
++
++ sbcset = (re_bitset_ptr_t) calloc (sizeof (bitset_t), 1);
diff --git a/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch b/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch
new file mode 100644
index 0000000000..102a494561
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0010-gnulib-argp-help-Fix-dereference-of-a-possibly-NULL-.patch
@@ -0,0 +1,52 @@
+From eaf9da8b5f8349c51cfc89dd8e39a1a61f89790a Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 28 Oct 2020 14:43:01 +0000
+Subject: [PATCH] gnulib/argp-help: Fix dereference of a possibly NULL state
+
+All other instances of call to __argp_failure() where there is
+a dgettext() call is first checking whether state is NULL before
+attempting to dereference it to get the root_argp->argp_domain.
+
+Fixes: CID 292436
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3a37bf120a9194c373257c70175cdb5b337bc107]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.extra-dist | 1 +
+ .../lib/gnulib-patches/fix-null-state-deref.patch | 12 ++++++++++++
+ 2 files changed, 13 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 9e55458..96d7e69 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -29,6 +29,7 @@ EXTRA_DIST += grub-core/genemuinit.sh
+ EXTRA_DIST += grub-core/genemuinitheader.sh
+
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-null-state-deref.patch b/grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+new file mode 100644
+index 0000000..813ec09
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-null-state-deref.patch
+@@ -0,0 +1,12 @@
++--- a/lib/argp-help.c 2020-10-28 14:32:19.189215988 +0000
+++++ b/lib/argp-help.c 2020-10-28 14:38:21.204673940 +0000
++@@ -145,7 +145,8 @@
++ if (*(int *)((char *)upptr + up->uparams_offs) >= upptr->rmargin)
++ {
++ __argp_failure (state, 0, 0,
++- dgettext (state->root_argp->argp_domain,
+++ dgettext (state == NULL ? NULL
+++ : state->root_argp->argp_domain,
++ "\
++ ARGP_HELP_FMT: %s value is less than or equal to %s"),
++ "rmargin", up->name);
diff --git a/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch b/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch
new file mode 100644
index 0000000000..4f43fcf7d5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0011-gnulib-regexec-Fix-possible-null-dereference.patch
@@ -0,0 +1,53 @@
+From 244dc2b1f518635069a556c424b2e7627f0cf036 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:57:14 +0000
+Subject: [PATCH] gnulib/regexec: Fix possible null-dereference
+
+It appears to be possible that the mctx->state_log field may be NULL,
+and the name of this function, clean_state_log_if_needed(), suggests
+that it should be checking that it is valid to be cleaned before
+assuming that it does.
+
+Fixes: CID 86720
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0b7f347638153e403ee2dd518af3ce26f4f99647]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.extra-dist | 1 +
+ .../lib/gnulib-patches/fix-regexec-null-deref.patch | 12 ++++++++++++
+ 2 files changed, 13 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index 96d7e69..d27d3a9 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
+
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+new file mode 100644
+index 0000000..db6dac9
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+@@ -0,0 +1,12 @@
++--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000
+++++ b/lib/regexec.c 2020-11-05 10:55:09.621542984 +0000
++@@ -1692,6 +1692,9 @@
++ {
++ Idx top = mctx->state_log_top;
++
+++ if (mctx->state_log == NULL)
+++ return REG_NOERROR;
+++
++ if ((next_state_log_idx >= mctx->input.bufs_len
++ && mctx->input.bufs_len < mctx->input.len)
++ || (next_state_log_idx >= mctx->input.valid_len
diff --git a/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch b/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch
new file mode 100644
index 0000000000..0507e0cd66
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0012-gnulib-regcomp-Fix-uninitialized-re_token.patch
@@ -0,0 +1,55 @@
+From 512b6bb380a77233b88c84b7a712896c70281d2f Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 24 Nov 2020 18:04:22 +0000
+Subject: [PATCH] gnulib/regcomp: Fix uninitialized re_token
+
+This issue has been fixed in the latest version of gnulib, so to
+maintain consistency, I've backported that change rather than doing
+something different.
+
+Fixes: CID 73828
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=03477085f9a33789ba6cca7cd49ab9326a1baa0e]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.extra-dist | 1 +
+ .../gnulib-patches/fix-regcomp-uninit-token.patch | 15 +++++++++++++++
+ 2 files changed, 16 insertions(+)
+ create mode 100644 grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+
+diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
+index d27d3a9..ffe6829 100644
+--- a/conf/Makefile.extra-dist
++++ b/conf/Makefile.extra-dist
+@@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh
+
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch
++EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch
+ EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch
+diff --git a/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch b/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+new file mode 100644
+index 0000000..02e0631
+--- /dev/null
++++ b/grub-core/lib/gnulib-patches/fix-regcomp-uninit-token.patch
+@@ -0,0 +1,15 @@
++--- a/lib/regcomp.c 2020-11-24 17:06:08.159223858 +0000
+++++ b/lib/regcomp.c 2020-11-24 17:06:15.630253923 +0000
++@@ -3808,11 +3808,7 @@
++ create_tree (re_dfa_t *dfa, bin_tree_t *left, bin_tree_t *right,
++ re_token_type_t type)
++ {
++- re_token_t t;
++-#if defined GCC_LINT || defined lint
++- memset (&t, 0, sizeof t);
++-#endif
++- t.type = type;
+++ re_token_t t = { .type = type };
++ return create_token_tree (dfa, left, right, &t);
++ }
++
diff --git a/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch b/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch
new file mode 100644
index 0000000000..1190b0d090
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0013-io-lzopio-Resolve-unnecessary-self-assignment-errors.patch
@@ -0,0 +1,41 @@
+From c529ca446424f1a9c64f0007dfe31fa7645d13ac Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 21 Oct 2020 14:44:10 +0000
+Subject: [PATCH] io/lzopio: Resolve unnecessary self-assignment errors
+
+These 2 assignments are unnecessary since they are just assigning
+to themselves.
+
+Fixes: CID 73643
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=59666e520f44177c97b82a44c169b3b315d63b42]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/io/lzopio.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c
+index 3014485..a7d4425 100644
+--- a/grub-core/io/lzopio.c
++++ b/grub-core/io/lzopio.c
+@@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio)
+ sizeof (lzopio->block.ucheck)) !=
+ sizeof (lzopio->block.ucheck))
+ return -1;
+-
+- lzopio->block.ucheck = lzopio->block.ucheck;
+ }
+
+ /* Read checksum of compressed data. */
+@@ -143,8 +141,6 @@ read_block_header (struct grub_lzopio *lzopio)
+ sizeof (lzopio->block.ccheck)) !=
+ sizeof (lzopio->block.ccheck))
+ return -1;
+-
+- lzopio->block.ccheck = lzopio->block.ccheck;
+ }
+ }
+
diff --git a/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch b/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch
new file mode 100644
index 0000000000..19d881c1ca
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0014-zstd-Initialize-seq_t-structure-fully.patch
@@ -0,0 +1,34 @@
+From f55ffe6bd8b844a8cd9956702f42ac2eb96ad56f Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 10:29:59 +0000
+Subject: [PATCH] zstd: Initialize seq_t structure fully
+
+While many compilers will initialize this to zero, not all will, so it
+is better to be sure that fields not being explicitly set are at known
+values, and there is code that checks this fields value elsewhere in the
+code.
+
+Fixes: CID 292440
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2777cf4466719921dbe4b30af358a75e7d76f217]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/lib/zstd/zstd_decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/zstd/zstd_decompress.c b/grub-core/lib/zstd/zstd_decompress.c
+index 711b5b6..e4b5670 100644
+--- a/grub-core/lib/zstd/zstd_decompress.c
++++ b/grub-core/lib/zstd/zstd_decompress.c
+@@ -1325,7 +1325,7 @@ typedef enum { ZSTD_lo_isRegularOffset, ZSTD_lo_isLongOffset=1 } ZSTD_longOffset
+ FORCE_INLINE_TEMPLATE seq_t
+ ZSTD_decodeSequence(seqState_t* seqState, const ZSTD_longOffset_e longOffsets)
+ {
+- seq_t seq;
++ seq_t seq = {0};
+ U32 const llBits = seqState->stateLL.table[seqState->stateLL.state].nbAdditionalBits;
+ U32 const mlBits = seqState->stateML.table[seqState->stateML.state].nbAdditionalBits;
+ U32 const ofBits = seqState->stateOffb.table[seqState->stateOffb.state].nbAdditionalBits;
diff --git a/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch b/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch
new file mode 100644
index 0000000000..af9fcd45cc
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0015-kern-partition-Check-for-NULL-before-dereferencing-i.patch
@@ -0,0 +1,43 @@
+From 0da8ef2e03a8591586b53a29af92d2ace76a04e3 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 23 Oct 2020 09:49:59 +0000
+Subject: [PATCH] kern/partition: Check for NULL before dereferencing input
+ string
+
+There is the possibility that the value of str comes from an external
+source and continuing to use it before ever checking its validity is
+wrong. So, needs fixing.
+
+Additionally, drop unneeded part initialization.
+
+Fixes: CID 292444
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=bc9c468a2ce84bc767234eec888b71f1bc744fff]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/partition.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/partition.c b/grub-core/kern/partition.c
+index e499147..b10a184 100644
+--- a/grub-core/kern/partition.c
++++ b/grub-core/kern/partition.c
+@@ -109,11 +109,14 @@ grub_partition_map_probe (const grub_partition_map_t partmap,
+ grub_partition_t
+ grub_partition_probe (struct grub_disk *disk, const char *str)
+ {
+- grub_partition_t part = 0;
++ grub_partition_t part;
+ grub_partition_t curpart = 0;
+ grub_partition_t tail;
+ const char *ptr;
+
++ if (str == NULL)
++ return 0;
++
+ part = tail = disk->partition;
+
+ for (ptr = str; *ptr;)
diff --git a/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch b/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
new file mode 100644
index 0000000000..c1687c75d0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0016-disk-ldm-Make-sure-comp-data-is-freed-before-exiting.patch
@@ -0,0 +1,128 @@
+From 0c5d0fd796e6cafba179321de396681a493c4158 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Mon, 7 Dec 2020 11:53:03 -0300
+Subject: [PATCH] disk/ldm: Make sure comp data is freed before exiting from
+ make_vg()
+
+Several error handling paths in make_vg() do not free comp data before
+jumping to fail2 label and returning from the function. This will leak
+memory. So, let's fix all issues of that kind.
+
+Fixes: CID 73804
+
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=23e39f50ca7a107f6b66396ed4d177a914dee035]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/disk/ldm.c | 51 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 44 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 58f8a53..428415f 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -554,7 +554,11 @@ make_vg (grub_disk_t disk,
+ comp->segments = grub_calloc (comp->segment_alloc,
+ sizeof (*comp->segments));
+ if (!comp->segments)
+- goto fail2;
++ {
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ }
+ else
+ {
+@@ -562,7 +566,11 @@ make_vg (grub_disk_t disk,
+ comp->segment_count = 1;
+ comp->segments = grub_malloc (sizeof (*comp->segments));
+ if (!comp->segments)
+- goto fail2;
++ {
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ comp->segments->start_extent = 0;
+ comp->segments->extent_count = lv->size;
+ comp->segments->layout = 0;
+@@ -574,15 +582,26 @@ make_vg (grub_disk_t disk,
+ comp->segments->layout = GRUB_RAID_LAYOUT_SYMMETRIC_MASK;
+ }
+ else
+- goto fail2;
++ {
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ ptr += *ptr + 1;
+ ptr++;
+ if (!(vblk[i].flags & 0x10))
+- goto fail2;
++ {
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ if (ptr >= vblk[i].dynamic + sizeof (vblk[i].dynamic)
+ || ptr + *ptr + 1 >= vblk[i].dynamic
+ + sizeof (vblk[i].dynamic))
+ {
++ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+@@ -592,6 +611,7 @@ make_vg (grub_disk_t disk,
+ if (ptr + *ptr + 1 >= vblk[i].dynamic
+ + sizeof (vblk[i].dynamic))
+ {
++ grub_free (comp->segments);
+ grub_free (comp->internal_id);
+ grub_free (comp);
+ goto fail2;
+@@ -601,7 +621,12 @@ make_vg (grub_disk_t disk,
+ comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
+ sizeof (*comp->segments->nodes));
+ if (!lv->segments->nodes)
+- goto fail2;
++ {
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ }
+
+ if (lv->segments->node_alloc == lv->segments->node_count)
+@@ -611,11 +636,23 @@ make_vg (grub_disk_t disk,
+
+ if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
+ grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
+- goto fail2;
++ {
++ grub_free (comp->segments->nodes);
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+
+ t = grub_realloc (lv->segments->nodes, sz);
+ if (!t)
+- goto fail2;
++ {
++ grub_free (comp->segments->nodes);
++ grub_free (comp->segments);
++ grub_free (comp->internal_id);
++ grub_free (comp);
++ goto fail2;
++ }
+ lv->segments->nodes = t;
+ }
+ lv->segments->nodes[lv->segments->node_count].pv = 0;
diff --git a/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch b/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch
new file mode 100644
index 0000000000..ecdb230f76
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0017-disk-ldm-If-failed-then-free-vg-variable-too.patch
@@ -0,0 +1,28 @@
+From 253485e8df3c9dedac848567e638157530184295 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 7 Dec 2020 10:07:47 -0300
+Subject: [PATCH] disk/ldm: If failed then free vg variable too
+
+Fixes: CID 73809
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e0b83df5da538d2a38f770e60817b3a4b9d5b4d7]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/disk/ldm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 428415f..54713f4 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -199,6 +199,7 @@ make_vg (grub_disk_t disk,
+ {
+ grub_free (vg->uuid);
+ grub_free (vg->name);
++ grub_free (vg);
+ return NULL;
+ }
+ grub_memcpy (vg->uuid, label->group_guid, LDM_GUID_STRLEN);
diff --git a/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch b/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
new file mode 100644
index 0000000000..26932f674c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0018-disk-ldm-Fix-memory-leak-on-uninserted-lv-references.patch
@@ -0,0 +1,50 @@
+From 3e1d2f1959acbe5152cdd5818d495f6455d1a158 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 10:00:51 +0000
+Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references
+
+The problem here is that the memory allocated to the variable lv is not
+yet inserted into the list that is being processed at the label fail2.
+
+As we can already see at line 342, which correctly frees lv before going
+to fail2, we should also be doing that at these earlier jumps to fail2.
+
+Fixes: CID 73824
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=156c281a1625dc73fd350530630c6f2d5673d4f6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/disk/ldm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 54713f4..e82e989 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -321,7 +321,10 @@ make_vg (grub_disk_t disk,
+ lv->visible = 1;
+ lv->segments = grub_zalloc (sizeof (*lv->segments));
+ if (!lv->segments)
+- goto fail2;
++ {
++ grub_free (lv);
++ goto fail2;
++ }
+ lv->segments->start_extent = 0;
+ lv->segments->type = GRUB_DISKFILTER_MIRROR;
+ lv->segments->node_count = 0;
+@@ -329,7 +332,10 @@ make_vg (grub_disk_t disk,
+ lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
+ sizeof (*lv->segments->nodes));
+ if (!lv->segments->nodes)
+- goto fail2;
++ {
++ grub_free (lv);
++ goto fail2;
++ }
+ ptr = vblk[i].dynamic;
+ if (ptr + *ptr + 1 >= vblk[i].dynamic
+ + sizeof (vblk[i].dynamic))
diff --git a/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000000..dd7fda357d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0019-disk-cryptodisk-Fix-potential-integer-overflow.patch
@@ -0,0 +1,50 @@
+From 2550aaa0c23fdf8b6c54e00c6b838f2e3aa81fe2 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 21 Jan 2021 11:38:31 +0000
+Subject: [PATCH] disk/cryptodisk: Fix potential integer overflow
+
+The encrypt and decrypt functions expect a grub_size_t. So, we need to
+ensure that the constant bit shift is using grub_size_t rather than
+unsigned int when it is performing the shift.
+
+Fixes: CID 307788
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a201ad17caa430aa710654fdf2e6ab4c8166f031]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/disk/cryptodisk.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 5037768..6883f48 100644
+--- a/grub-core/disk/cryptodisk.c
++++ b/grub-core/disk/cryptodisk.c
+@@ -311,10 +311,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
+ case GRUB_CRYPTODISK_MODE_CBC:
+ if (do_encrypt)
+ err = grub_crypto_cbc_encrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ else
+ err = grub_crypto_cbc_decrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ if (err)
+ return err;
+ break;
+@@ -322,10 +322,10 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
+ case GRUB_CRYPTODISK_MODE_PCBC:
+ if (do_encrypt)
+ err = grub_crypto_pcbc_encrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ else
+ err = grub_crypto_pcbc_decrypt (dev->cipher, data + i, data + i,
+- (1U << dev->log_sector_size), iv);
++ ((grub_size_t) 1 << dev->log_sector_size), iv);
+ if (err)
+ return err;
+ break;
diff --git a/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch b/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch
new file mode 100644
index 0000000000..eb459c547f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch
@@ -0,0 +1,43 @@
+From 7c1813eeec78892fa651046cc224ae4e80d0c94d Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 23 Oct 2020 17:09:31 +0000
+Subject: [PATCH] hfsplus: Check that the volume name length is valid
+
+HFS+ documentation suggests that the maximum filename and volume name is
+255 Unicode characters in length.
+
+So, when converting from big-endian to little-endian, we should ensure
+that the name of the volume has a length that is between 0 and 255,
+inclusive.
+
+Fixes: CID 73641
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2298f6e0d951251bb9ca97d891d1bc8b74515f8c]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/hfsplus.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index dae43be..03c3c4c 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -1007,6 +1007,15 @@ grub_hfsplus_label (grub_device_t device, char **label)
+ grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
+
+ label_len = grub_be_to_cpu16 (catkey->namelen);
++
++ /* Ensure that the length is >= 0. */
++ if (label_len < 0)
++ label_len = 0;
++
++ /* Ensure label length is at most 255 Unicode characters. */
++ if (label_len > 255)
++ label_len = 255;
++
+ label_name = grub_calloc (label_len, sizeof (*label_name));
+ if (!label_name)
+ {
diff --git a/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch b/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch
new file mode 100644
index 0000000000..12418858f9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0021-zfs-Fix-possible-negative-shift-operation.patch
@@ -0,0 +1,42 @@
+From c757779e5d09719666c3b155afd2421978a107bd Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 24 Nov 2020 16:41:49 +0000
+Subject: [PATCH] zfs: Fix possible negative shift operation
+
+While it is possible for the return value from zfs_log2() to be zero
+(0), it is quite unlikely, given that the previous assignment to blksz
+is shifted up by SPA_MINBLOCKSHIFT (9) before 9 is subtracted at the
+assignment to epbs.
+
+But, while unlikely during a normal operation, it may be that a carefully
+crafted ZFS filesystem could result in a zero (0) value to the
+dn_datalbkszsec field, which means that the shift left does nothing
+and assigns zero (0) to blksz, resulting in a negative epbs value.
+
+Fixes: CID 73608
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a02091834d3e167320d8a262ff04b8e83c5e616d]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/zfs/zfs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 36d0373..0c42cba 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -2667,6 +2667,11 @@ dnode_get (dnode_end_t * mdn, grub_uint64_t objnum, grub_uint8_t type,
+ blksz = grub_zfs_to_cpu16 (mdn->dn.dn_datablkszsec,
+ mdn->endian) << SPA_MINBLOCKSHIFT;
+ epbs = zfs_log2 (blksz) - DNODE_SHIFT;
++
++ /* While this should never happen, we should check that epbs is not negative. */
++ if (epbs < 0)
++ epbs = 0;
++
+ blkid = objnum >> epbs;
+ idx = objnum & ((1 << epbs) - 1);
+
diff --git a/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
new file mode 100644
index 0000000000..5ded5520e9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
@@ -0,0 +1,121 @@
+From 83fdffc07ec4586b375ab36189f255ffbd8f99c2 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 14 Dec 2020 18:54:49 -0300
+Subject: [PATCH] zfs: Fix resource leaks while constructing path
+
+There are several exit points in dnode_get_path() that are causing possible
+memory leaks.
+
+In the while(1) the correct exit mechanism should not be to do a direct return,
+but to instead break out of the loop, setting err first if it is not already set.
+
+The reason behind this is that the dnode_path is a linked list, and while doing
+through this loop, it is being allocated and built up - the only way to
+correctly unravel it is to traverse it, which is what is being done at the end
+of the function outside of the loop.
+
+Several of the existing exit points correctly did a break, but not all so this
+change makes that more consistent and should resolve the leaking of memory as
+found by Coverity.
+
+Fixes: CID 73741
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=89bdab965805e8d54d7f75349024e1a11cbe2eb8]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 0c42cba..9087a72 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+
+ if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS)
+ {
+- grub_free (path_buf);
+- return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
++ err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
++ break;
+ }
+ err = zap_lookup (&(dnode_path->dn), cname, &objnum,
+ data, subvol->case_insensitive);
+@@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ << SPA_MINBLOCKSHIFT);
+
+ if (blksz == 0)
+- return grub_error(GRUB_ERR_BAD_FS, "0-sized block");
++ {
++ err = grub_error (GRUB_ERR_BAD_FS, "0-sized block");
++ break;
++ }
+
+ sym_value = grub_malloc (sym_sz);
+ if (!sym_value)
+- return grub_errno;
++ {
++ err = grub_errno;
++ break;
++ }
++
+ for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++)
+ {
+ void *t;
+@@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ if (err)
+ {
+ grub_free (sym_value);
+- return err;
++ break;
+ }
+
+ movesize = sym_sz - block * blksz;
+@@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ grub_memcpy (sym_value + block * blksz, t, movesize);
+ grub_free (t);
+ }
++ if (err)
++ break;
+ free_symval = 1;
+ }
+ path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);
+@@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ grub_free (oldpathbuf);
+ if (free_symval)
+ grub_free (sym_value);
+- return grub_errno;
++ err = grub_errno;
++ break;
+ }
+ grub_memcpy (path, sym_value, sym_sz);
+ if (free_symval)
+@@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+
+ err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data);
+ if (err)
+- return err;
++ break;
+ }
+ else
+ {
+- return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
++ err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
++ break;
+ }
+
+ hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp));
+@@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ if (!path_buf)
+ {
+ grub_free (oldpathbuf);
+- return grub_errno;
++ err = grub_errno;
++ break;
+ }
+ grub_memcpy (path, sym_value, sym_sz);
+ path [sym_sz] = 0;
diff --git a/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch b/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch
new file mode 100644
index 0000000000..8df758b41f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0023-zfs-Fix-possible-integer-overflows.patch
@@ -0,0 +1,56 @@
+From ec35d862f3567671048aa0d0d8ad1ded1fd25336 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 22:17:04 +0000
+Subject: [PATCH] zfs: Fix possible integer overflows
+
+In all cases the problem is that the value being acted upon by
+a left-shift is a 32-bit number which is then being used in the
+context of a 64-bit number.
+
+To avoid overflow we ensure that the number being shifted is 64-bit
+before the shift is done.
+
+Fixes: CID 73684, CID 73695, CID 73764
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=302c12ff5714bc455949117c1c9548ccb324d55b]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/zfs/zfs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 9087a72..b078ccc 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -564,7 +564,7 @@ find_bestub (uberblock_phys_t * ub_array,
+ ubptr = (uberblock_phys_t *) ((grub_properly_aligned_t *) ub_array
+ + ((i << ub_shift)
+ / sizeof (grub_properly_aligned_t)));
+- err = uberblock_verify (ubptr, offset, 1 << ub_shift);
++ err = uberblock_verify (ubptr, offset, (grub_size_t) 1 << ub_shift);
+ if (err)
+ {
+ grub_errno = GRUB_ERR_NONE;
+@@ -1543,7 +1543,7 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
+
+ high = grub_divmod64 ((offset >> desc->ashift) + c,
+ desc->n_children, &devn);
+- csize = bsize << desc->ashift;
++ csize = (grub_size_t) bsize << desc->ashift;
+ if (csize > len)
+ csize = len;
+
+@@ -1635,8 +1635,8 @@ read_device (grub_uint64_t offset, struct grub_zfs_device_desc *desc,
+
+ while (len > 0)
+ {
+- grub_size_t csize;
+- csize = ((s / (desc->n_children - desc->nparity))
++ grub_size_t csize = s;
++ csize = ((csize / (desc->n_children - desc->nparity))
+ << desc->ashift);
+ if (csize > len)
+ csize = len;
diff --git a/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch b/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
new file mode 100644
index 0000000000..555dc19168
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch
@@ -0,0 +1,35 @@
+From b085da8efda9b81f94aa197ee045226563554fdf Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 10:56:45 +0000
+Subject: [PATCH] zfsinfo: Correct a check for error allocating memory
+
+While arguably the check for grub_errno is correct, we should really be
+checking the return value from the function since it is always possible
+that grub_errno was set elsewhere, making this code behave incorrectly.
+
+Fixes: CID 73668
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7aab03418ec6a9b991aa44416cb2585aff4e7972]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/zfs/zfsinfo.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/zfs/zfsinfo.c b/grub-core/fs/zfs/zfsinfo.c
+index c8a28ac..bf29180 100644
+--- a/grub-core/fs/zfs/zfsinfo.c
++++ b/grub-core/fs/zfs/zfsinfo.c
+@@ -358,8 +358,8 @@ grub_cmd_zfs_bootfs (grub_command_t cmd __attribute__ ((unused)), int argc,
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+
+ devname = grub_file_get_device_name (args[0]);
+- if (grub_errno)
+- return grub_errno;
++ if (devname == NULL)
++ return GRUB_ERR_OUT_OF_MEMORY;
+
+ dev = grub_device_open (devname);
+ grub_free (devname);
diff --git a/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
new file mode 100644
index 0000000000..435130516c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
@@ -0,0 +1,82 @@
+From 929c2ce8214c53cb95abff57a89556cd18444097 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 12:48:07 +0000
+Subject: [PATCH] affs: Fix memory leaks
+
+The node structure reference is being allocated but not freed if it
+reaches the end of the function. If any of the hooks had returned
+a non-zero value, then node would have been copied in to the context
+reference, but otherwise node is not stored and should be freed.
+
+Similarly, the call to grub_affs_create_node() replaces the allocated
+memory in node with a newly allocated structure, leaking the existing
+memory pointed by node.
+
+Finally, when dir->parent is set, then we again replace node with newly
+allocated memory, which seems unnecessary when we copy in the values
+from dir->parent immediately after.
+
+Fixes: CID 73759
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=178ac5107389f8e5b32489d743d6824a5ebf342a]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/affs.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index 220b371..230e26a 100644
+--- a/grub-core/fs/affs.c
++++ b/grub-core/fs/affs.c
+@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ {
+ unsigned int i;
+ struct grub_affs_file file;
+- struct grub_fshelp_node *node = 0;
++ struct grub_fshelp_node *node, *orig_node;
+ struct grub_affs_data *data = dir->data;
+ grub_uint32_t *hashtable;
+
+ /* Create the directory entries for `.' and `..'. */
+- node = grub_zalloc (sizeof (*node));
++ node = orig_node = grub_zalloc (sizeof (*node));
+ if (!node)
+ return 1;
+
+@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ return 1;
+ if (dir->parent)
+ {
+- node = grub_zalloc (sizeof (*node));
+- if (!node)
+- return 1;
+ *node = *dir->parent;
+ if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
+ return 1;
+@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+
+ if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable,
+ next, &file))
+- return 1;
++ {
++ /* Node has been replaced in function. */
++ grub_free (orig_node);
++ return 1;
++ }
+
+ next = grub_be_to_cpu32 (file.next);
+ }
+ }
+
+- grub_free (hashtable);
+- return 0;
+-
+ fail:
+- grub_free (node);
++ grub_free (orig_node);
+ grub_free (hashtable);
+ return 0;
+ }
diff --git a/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch b/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
new file mode 100644
index 0000000000..f500f1a296
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0026-libgcrypt-mpi-Fix-possible-unintended-sign-extension.patch
@@ -0,0 +1,36 @@
+From 9b16d7bcad1c7fea7f26eb2fb3af1a5ca70ba34e Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 3 Nov 2020 16:43:37 +0000
+Subject: [PATCH] libgcrypt/mpi: Fix possible unintended sign extension
+
+The array of unsigned char gets promoted to a signed 32-bit int before
+it is finally promoted to a size_t. There is the possibility that this
+may result in the signed-bit being set for the intermediate signed
+32-bit int. We should ensure that the promotion is to the correct type
+before we bitwise-OR the values.
+
+Fixes: CID 96697
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e8814c811132a70f9b55418f7567378a34ad3883]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+
+---
+ grub-core/lib/libgcrypt/mpi/mpicoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+index a3435ed..7ecad27 100644
+--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+@@ -458,7 +458,7 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+ if (len && len < 4)
+ return gcry_error (GPG_ERR_TOO_SHORT);
+
+- n = (s[0] << 24 | s[1] << 16 | s[2] << 8 | s[3]);
++ n = ((size_t)s[0] << 24 | (size_t)s[1] << 16 | (size_t)s[2] << 8 | (size_t)s[3]);
+ s += 4;
+ if (len)
+ len -= 4;
diff --git a/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch b/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
new file mode 100644
index 0000000000..08299d021e
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0027-libgcrypt-mpi-Fix-possible-NULL-dereference.patch
@@ -0,0 +1,33 @@
+From d26c8771293637b0465f2cb67d97cb58bacc62da Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 10:41:54 +0000
+Subject: [PATCH] libgcrypt/mpi: Fix possible NULL dereference
+
+The code in gcry_mpi_scan() assumes that buffer is not NULL, but there
+is no explicit check for that, so we add one.
+
+Fixes: CID 73757
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ae0f3fabeba7b393113d5dc185b6aff9b728136d]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/lib/libgcrypt/mpi/mpicoder.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/lib/libgcrypt/mpi/mpicoder.c b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+index 7ecad27..6fe3891 100644
+--- a/grub-core/lib/libgcrypt/mpi/mpicoder.c
++++ b/grub-core/lib/libgcrypt/mpi/mpicoder.c
+@@ -379,6 +379,9 @@ gcry_mpi_scan (struct gcry_mpi **ret_mpi, enum gcry_mpi_format format,
+ unsigned int len;
+ int secure = (buffer && gcry_is_secure (buffer));
+
++ if (!buffer)
++ return gcry_error (GPG_ERR_INV_ARG);
++
+ if (format == GCRYMPI_FMT_SSH)
+ len = 0;
+ else
diff --git a/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch b/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch
new file mode 100644
index 0000000000..d8c21d88f7
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0028-syslinux-Fix-memory-leak-while-parsing.patch
@@ -0,0 +1,43 @@
+From ea12feb69b6af93c7e2fa03df7ac3bd1f4edd599 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 15:31:53 +0000
+Subject: [PATCH] syslinux: Fix memory leak while parsing
+
+In syslinux_parse_real() the 2 points where return is being called
+didn't release the memory stored in buf which is no longer required.
+
+Fixes: CID 176634
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=95bc016dba94cab3d398dd74160665915cd08ad6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/lib/syslinux_parse.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c
+index 4afa992..3acc6b4 100644
+--- a/grub-core/lib/syslinux_parse.c
++++ b/grub-core/lib/syslinux_parse.c
+@@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu)
+ && grub_strncasecmp ("help", ptr3, ptr4 - ptr3) == 0))
+ {
+ if (helptext (ptr5, file, menu))
+- return 1;
++ {
++ grub_free (buf);
++ return 1;
++ }
+ continue;
+ }
+
+@@ -757,6 +760,7 @@ syslinux_parse_real (struct syslinux_menu *menu)
+ }
+ fail:
+ grub_file_close (file);
++ grub_free (buf);
+ return err;
+ }
+
diff --git a/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch b/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch
new file mode 100644
index 0000000000..8a26e5bc5b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0029-normal-completion-Fix-leaking-of-memory-when-process.patch
@@ -0,0 +1,52 @@
+From 2367049d2021e00d82d19cee923e06a4b04ebc30 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 18:56:48 +0000
+Subject: [PATCH] normal/completion: Fix leaking of memory when processing a
+ completion
+
+It is possible for the code to reach the end of the function without
+freeing the memory allocated to argv and argc still to be 0.
+
+We should always call grub_free(argv). The grub_free() will handle
+a NULL argument correctly if it reaches that code without the memory
+being allocated.
+
+Fixes: CID 96672
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9213575b7a95b514bce80be5964a28d407d7d56d]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/normal/completion.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
+index 5961028..46e473c 100644
+--- a/grub-core/normal/completion.c
++++ b/grub-core/normal/completion.c
+@@ -400,8 +400,8 @@ char *
+ grub_normal_do_completion (char *buf, int *restore,
+ void (*hook) (const char *, grub_completion_type_t, int))
+ {
+- int argc;
+- char **argv;
++ int argc = 0;
++ char **argv = NULL;
+
+ /* Initialize variables. */
+ match = 0;
+@@ -516,10 +516,8 @@ grub_normal_do_completion (char *buf, int *restore,
+
+ fail:
+ if (argc != 0)
+- {
+- grub_free (argv[0]);
+- grub_free (argv);
+- }
++ grub_free (argv[0]);
++ grub_free (argv);
+ grub_free (match);
+ grub_errno = GRUB_ERR_NONE;
+
diff --git a/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch b/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch
new file mode 100644
index 0000000000..e34a19e12c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0030-commands-hashsum-Fix-a-memory-leak.patch
@@ -0,0 +1,56 @@
+From b136fa14d26d1833ffcb852f86e65da5960cfb99 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Tue, 1 Dec 2020 23:41:24 +0000
+Subject: [PATCH] commands/hashsum: Fix a memory leak
+
+check_list() uses grub_file_getline(), which allocates a buffer.
+If the hash list file contains invalid lines, the function leaks
+this buffer when it returns an error.
+
+Fixes: CID 176635
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8b6f528e52e18b7a69f90b8dc3671d7b1147d9f3]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/hashsum.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c
+index 456ba90..b8a22b0 100644
+--- a/grub-core/commands/hashsum.c
++++ b/grub-core/commands/hashsum.c
+@@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
+ high = hextoval (*p++);
+ low = hextoval (*p++);
+ if (high < 0 || low < 0)
+- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ {
++ grub_free (buf);
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ }
+ expected[i] = (high << 4) | low;
+ }
+ if ((p[0] != ' ' && p[0] != '\t') || (p[1] != ' ' && p[1] != '\t'))
+- return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ {
++ grub_free (buf);
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "invalid hash list");
++ }
+ p += 2;
+ if (prefix)
+ {
+@@ -140,7 +146,10 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
+
+ filename = grub_xasprintf ("%s/%s", prefix, p);
+ if (!filename)
+- return grub_errno;
++ {
++ grub_free (buf);
++ return grub_errno;
++ }
+ file = grub_file_open (filename, GRUB_FILE_TYPE_TO_HASH
+ | (!uncompress ? GRUB_FILE_TYPE_NO_DECOMPRESS
+ : GRUB_FILE_TYPE_NONE));
diff --git a/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch b/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
new file mode 100644
index 0000000000..7e4e951245
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0031-video-efi_gop-Remove-unnecessary-return-value-of-gru.patch
@@ -0,0 +1,94 @@
+From 2a1e5659763790201a342f8a897c8c9d8d91b1cc Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 21:14:31 +0000
+Subject: [PATCH] video/efi_gop: Remove unnecessary return value of
+ grub_video_gop_fill_mode_info()
+
+The return value of grub_video_gop_fill_mode_info() is never able to be
+anything other than GRUB_ERR_NONE. So, rather than continue to return
+a value and checking it each time, it is more correct to redefine the
+function to not return anything and remove checks of its return value
+altogether.
+
+Fixes: CID 96701
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=fc5951d3b1616055ef81a019a5affc09d13344d0]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/efi_gop.c | 25 ++++++-------------------
+ 1 file changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/grub-core/video/efi_gop.c b/grub-core/video/efi_gop.c
+index 7f9d1c2..db2ee98 100644
+--- a/grub-core/video/efi_gop.c
++++ b/grub-core/video/efi_gop.c
+@@ -227,7 +227,7 @@ grub_video_gop_fill_real_mode_info (unsigned mode,
+ return GRUB_ERR_NONE;
+ }
+
+-static grub_err_t
++static void
+ grub_video_gop_fill_mode_info (unsigned mode,
+ struct grub_efi_gop_mode_info *in,
+ struct grub_video_mode_info *out)
+@@ -252,8 +252,6 @@ grub_video_gop_fill_mode_info (unsigned mode,
+ out->blit_format = GRUB_VIDEO_BLIT_FORMAT_BGRA_8888;
+ out->mode_type |= (GRUB_VIDEO_MODE_TYPE_DOUBLE_BUFFERED
+ | GRUB_VIDEO_MODE_TYPE_UPDATING_SWAP);
+-
+- return GRUB_ERR_NONE;
+ }
+
+ static int
+@@ -266,7 +264,6 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
+ grub_efi_uintn_t size;
+ grub_efi_status_t status;
+ struct grub_efi_gop_mode_info *info = NULL;
+- grub_err_t err;
+ struct grub_video_mode_info mode_info;
+
+ status = efi_call_4 (gop->query_mode, gop, mode, &size, &info);
+@@ -277,12 +274,7 @@ grub_video_gop_iterate (int (*hook) (const struct grub_video_mode_info *info, vo
+ continue;
+ }
+
+- err = grub_video_gop_fill_mode_info (mode, info, &mode_info);
+- if (err)
+- {
+- grub_errno = GRUB_ERR_NONE;
+- continue;
+- }
++ grub_video_gop_fill_mode_info (mode, info, &mode_info);
+ if (hook (&mode_info, hook_arg))
+ return 1;
+ }
+@@ -466,13 +458,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+
+ info = gop->mode->info;
+
+- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
+- &framebuffer.mode_info);
+- if (err)
+- {
+- grub_dprintf ("video", "GOP: couldn't fill mode info\n");
+- return err;
+- }
++ grub_video_gop_fill_mode_info (gop->mode->mode, info,
++ &framebuffer.mode_info);
+
+ framebuffer.ptr = (void *) (grub_addr_t) gop->mode->fb_base;
+ framebuffer.offscreen
+@@ -486,8 +473,8 @@ grub_video_gop_setup (unsigned int width, unsigned int height,
+ {
+ grub_dprintf ("video", "GOP: couldn't allocate shadow\n");
+ grub_errno = 0;
+- err = grub_video_gop_fill_mode_info (gop->mode->mode, info,
+- &framebuffer.mode_info);
++ grub_video_gop_fill_mode_info (gop->mode->mode, info,
++ &framebuffer.mode_info);
+ buffer = framebuffer.ptr;
+ }
+
diff --git a/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
new file mode 100644
index 0000000000..8165ea3f71
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0032-video-fb-fbfill-Fix-potential-integer-overflow.patch
@@ -0,0 +1,78 @@
+From 99ecf5a44b99d529a6405fe276bedcefa3657a0a Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 4 Nov 2020 15:10:51 +0000
+Subject: [PATCH] video/fb/fbfill: Fix potential integer overflow
+
+The multiplication of 2 unsigned 32-bit integers may overflow before
+promotion to unsigned 64-bit. We should ensure that the multiplication
+is done with overflow detection. Additionally, use grub_sub() for
+subtraction.
+
+Fixes: CID 73640, CID 73697, CID 73702, CID 73823
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7ce3259f67ac2cd93acb0ec0080c24b3b69e66c6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/fb/fbfill.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/video/fb/fbfill.c b/grub-core/video/fb/fbfill.c
+index 11816d0..a37acd1 100644
+--- a/grub-core/video/fb/fbfill.c
++++ b/grub-core/video/fb/fbfill.c
+@@ -31,6 +31,7 @@
+ #include <grub/fbfill.h>
+ #include <grub/fbutil.h>
+ #include <grub/types.h>
++#include <grub/safemath.h>
+ #include <grub/video.h>
+
+ /* Generic filler that works for every supported mode. */
+@@ -61,7 +62,9 @@ grub_video_fbfill_direct32 (struct grub_video_fbblit_info *dst,
+
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -98,7 +101,9 @@ grub_video_fbfill_direct24 (struct grub_video_fbblit_info *dst,
+ #endif
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -131,7 +136,9 @@ grub_video_fbfill_direct16 (struct grub_video_fbblit_info *dst,
+
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = (dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width);
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
+@@ -161,7 +168,9 @@ grub_video_fbfill_direct8 (struct grub_video_fbblit_info *dst,
+
+ /* Calculate the number of bytes to advance from the end of one line
+ to the beginning of the next line. */
+- rowskip = dst->mode_info->pitch - dst->mode_info->bytes_per_pixel * width;
++ if (grub_mul (dst->mode_info->bytes_per_pixel, width, &rowskip) ||
++ grub_sub (dst->mode_info->pitch, rowskip, &rowskip))
++ return;
+
+ /* Get the start address. */
+ dstptr = grub_video_fb_get_video_ptr (dst, x, y);
diff --git a/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch
new file mode 100644
index 0000000000..544e7f31ae
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0033-video-fb-video_fb-Fix-multiple-integer-overflows.patch
@@ -0,0 +1,104 @@
+From 69b91f7466a5ad5fb85039a5b4118efb77ad6347 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Wed, 4 Nov 2020 14:43:44 +0000
+Subject: [PATCH] video/fb/video_fb: Fix multiple integer overflows
+
+The calculation of the unsigned 64-bit value is being generated by
+multiplying 2, signed or unsigned, 32-bit integers which may overflow
+before promotion to unsigned 64-bit. Fix all of them.
+
+Fixes: CID 73703, CID 73767, CID 73833
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08e098b1dbf01e96376f594b337491bc4cfa48dd]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/fb/video_fb.c | 52 ++++++++++++++++++++++++-----------
+ 1 file changed, 36 insertions(+), 16 deletions(-)
+
+diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
+index 1a602c8..1c9a138 100644
+--- a/grub-core/video/fb/video_fb.c
++++ b/grub-core/video/fb/video_fb.c
+@@ -25,6 +25,7 @@
+ #include <grub/fbutil.h>
+ #include <grub/bitmap.h>
+ #include <grub/dl.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -1417,15 +1418,23 @@ doublebuf_blit_update_screen (void)
+ {
+ if (framebuffer.current_dirty.first_line
+ <= framebuffer.current_dirty.last_line)
+- grub_memcpy ((char *) framebuffer.pages[0]
+- + framebuffer.current_dirty.first_line
+- * framebuffer.back_target->mode_info.pitch,
+- (char *) framebuffer.back_target->data
+- + framebuffer.current_dirty.first_line
+- * framebuffer.back_target->mode_info.pitch,
+- framebuffer.back_target->mode_info.pitch
+- * (framebuffer.current_dirty.last_line
+- - framebuffer.current_dirty.first_line));
++ {
++ grub_size_t copy_size;
++
++ if (grub_sub (framebuffer.current_dirty.last_line,
++ framebuffer.current_dirty.first_line, &copy_size) ||
++ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
++ {
++ /* Shouldn't happen, but if it does we've a bug. */
++ return GRUB_ERR_BUG;
++ }
++
++ grub_memcpy ((char *) framebuffer.pages[0] + framebuffer.current_dirty.first_line *
++ framebuffer.back_target->mode_info.pitch,
++ (char *) framebuffer.back_target->data + framebuffer.current_dirty.first_line *
++ framebuffer.back_target->mode_info.pitch,
++ copy_size);
++ }
+ framebuffer.current_dirty.first_line
+ = framebuffer.back_target->mode_info.height;
+ framebuffer.current_dirty.last_line = 0;
+@@ -1439,7 +1448,7 @@ grub_video_fb_doublebuf_blit_init (struct grub_video_fbrender_target **back,
+ volatile void *framebuf)
+ {
+ grub_err_t err;
+- grub_size_t page_size = mode_info.pitch * mode_info.height;
++ grub_size_t page_size = (grub_size_t) mode_info.pitch * mode_info.height;
+
+ framebuffer.offscreen_buffer = grub_zalloc (page_size);
+ if (! framebuffer.offscreen_buffer)
+@@ -1482,12 +1491,23 @@ doublebuf_pageflipping_update_screen (void)
+ last_line = framebuffer.previous_dirty.last_line;
+
+ if (first_line <= last_line)
+- grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page]
+- + first_line * framebuffer.back_target->mode_info.pitch,
+- (char *) framebuffer.back_target->data
+- + first_line * framebuffer.back_target->mode_info.pitch,
+- framebuffer.back_target->mode_info.pitch
+- * (last_line - first_line));
++ {
++ grub_size_t copy_size;
++
++ if (grub_sub (last_line, first_line, &copy_size) ||
++ grub_mul (framebuffer.back_target->mode_info.pitch, copy_size, &copy_size))
++ {
++ /* Shouldn't happen, but if it does we've a bug. */
++ return GRUB_ERR_BUG;
++ }
++
++ grub_memcpy ((char *) framebuffer.pages[framebuffer.render_page] + first_line *
++ framebuffer.back_target->mode_info.pitch,
++ (char *) framebuffer.back_target->data + first_line *
++ framebuffer.back_target->mode_info.pitch,
++ copy_size);
++ }
++
+ framebuffer.previous_dirty = framebuffer.current_dirty;
+ framebuffer.current_dirty.first_line
+ = framebuffer.back_target->mode_info.height;
diff --git a/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch b/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch
new file mode 100644
index 0000000000..c82b2c7df0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0034-video-fb-video_fb-Fix-possible-integer-overflow.patch
@@ -0,0 +1,39 @@
+From aac5574ff340a665ccc78d4c3d61596ac67acbbe Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 14:51:30 +0000
+Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow
+
+It is minimal possibility that the values being used here will overflow.
+So, change the code to use the safemath function grub_mul() to ensure
+that doesn't happen.
+
+Fixes: CID 73761
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=08413f2f4edec0e2d9bf15f836f6ee5ca2e379cb]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/fb/video_fb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
+index 1c9a138..ae6b89f 100644
+--- a/grub-core/video/fb/video_fb.c
++++ b/grub-core/video/fb/video_fb.c
+@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info,
+ volatile void *page1_ptr)
+ {
+ grub_err_t err;
+- grub_size_t page_size = mode_info->pitch * mode_info->height;
++ grub_size_t page_size = 0;
++
++ if (grub_mul (mode_info->pitch, mode_info->height, &page_size))
++ {
++ /* Shouldn't happen, but if it does we've a bug. */
++ return GRUB_ERR_BUG;
++ }
+
+ framebuffer.offscreen_buffer = grub_malloc (page_size);
+ if (! framebuffer.offscreen_buffer)
diff --git a/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
new file mode 100644
index 0000000000..3fca2aecb5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0035-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
@@ -0,0 +1,38 @@
+From 88361a7fd4e481a76e1159a63c9014fa997ef29c Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 15:39:00 +0000
+Subject: [PATCH] video/readers/jpeg: Test for an invalid next marker reference
+ from a jpeg file
+
+While it may never happen, and potentially could be caught at the end of
+the function, it is worth checking up front for a bad reference to the
+next marker just in case of a maliciously crafted file being provided.
+
+Fixes: CID 73694
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5f5eb7ca8e971227e95745abe541df3e1509360e]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/video/readers/jpeg.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 31359a4..0b6ce3c 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -253,6 +253,12 @@ grub_jpeg_decode_quan_table (struct grub_jpeg_data *data)
+ next_marker = data->file->offset;
+ next_marker += grub_jpeg_get_word (data);
+
++ if (next_marker > data->file->size)
++ {
++ /* Should never be set beyond the size of the file. */
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, "jpeg: invalid next reference");
++ }
++
+ while (data->file->offset + sizeof (data->quan_table[id]) + 1
+ <= next_marker)
+ {
diff --git a/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch b/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch
new file mode 100644
index 0000000000..61e5e5797d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch
@@ -0,0 +1,34 @@
+From 9433cb3a37c03f22c2fa769121f1f509fd031ae9 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Mon, 7 Dec 2020 14:44:47 +0000
+Subject: [PATCH] gfxmenu/gui_list: Remove code that coverity is flagging as
+ dead
+
+The test of value for NULL before calling grub_strdup() is not required,
+since the if condition prior to this has already tested for value being
+NULL and cannot reach this code if it is.
+
+Fixes: CID 73659
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4a1aa5917595650efbd46b581368c470ebee42ab]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/gfxmenu/gui_list.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/gfxmenu/gui_list.c b/grub-core/gfxmenu/gui_list.c
+index 01477cd..df334a6 100644
+--- a/grub-core/gfxmenu/gui_list.c
++++ b/grub-core/gfxmenu/gui_list.c
+@@ -771,7 +771,7 @@ list_set_property (void *vself, const char *name, const char *value)
+ {
+ self->need_to_recreate_boxes = 1;
+ grub_free (self->selected_item_box_pattern);
+- self->selected_item_box_pattern = value ? grub_strdup (value) : 0;
++ self->selected_item_box_pattern = grub_strdup (value);
+ self->selected_item_box_pattern_inherit = 0;
+ }
+ }
diff --git a/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch b/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch
new file mode 100644
index 0000000000..34643e10ab
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0037-loader-bsd-Check-for-NULL-arg-up-front.patch
@@ -0,0 +1,47 @@
+From 7899384c8fdf9ed96566978c49b0c6e40e70703d Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Tue, 8 Dec 2020 21:47:13 +0000
+Subject: [PATCH] loader/bsd: Check for NULL arg up-front
+
+The code in the next block suggests that it is possible for .set to be
+true but .arg may still be NULL.
+
+This code assumes that it is never NULL, yet later is testing if it is
+NULL - that is inconsistent.
+
+So we should check first if .arg is not NULL, and remove this check that
+is being flagged by Coverity since it is no longer required.
+
+Fixes: CID 292471
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5d5391b0a05abe76e04c1eb68dcc6cbef5326c4a]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/i386/bsd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
+index b92cbe9..8432283 100644
+--- a/grub-core/loader/i386/bsd.c
++++ b/grub-core/loader/i386/bsd.c
+@@ -1605,7 +1605,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
+ kernel_type = KERNEL_TYPE_OPENBSD;
+ bootflags = grub_bsd_parse_flags (ctxt->state, openbsd_flags);
+
+- if (ctxt->state[OPENBSD_ROOT_ARG].set)
++ if (ctxt->state[OPENBSD_ROOT_ARG].set && ctxt->state[OPENBSD_ROOT_ARG].arg != NULL)
+ {
+ const char *arg = ctxt->state[OPENBSD_ROOT_ARG].arg;
+ unsigned type, unit, part;
+@@ -1622,7 +1622,7 @@ grub_cmd_openbsd (grub_extcmd_context_t ctxt, int argc, char *argv[])
+ "unknown disk type name");
+
+ unit = grub_strtoul (arg, (char **) &arg, 10);
+- if (! (arg && *arg >= 'a' && *arg <= 'z'))
++ if (! (*arg >= 'a' && *arg <= 'z'))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ "only device specifications of form "
+ "<type><number><lowercase letter> are supported");
diff --git a/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch b/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch
new file mode 100644
index 0000000000..41f09a22fc
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0038-loader-xnu-Fix-memory-leak.patch
@@ -0,0 +1,38 @@
+From 0a4aa7c16f65cdfaa1013f0796afa929f8d6dc1a Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 12:53:10 +0000
+Subject: [PATCH] loader/xnu: Fix memory leak
+
+The code here is finished with the memory stored in name, but it only
+frees it if there curvalue is valid, while it could actually free it
+regardless.
+
+The fix is a simple relocation of the grub_free() to before the test
+of curvalue.
+
+Fixes: CID 96646
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=bcb59ece3263d118510c4440c4da0950f224bb7f]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/xnu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 07232d2..b3029a8 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -1388,9 +1388,9 @@ grub_xnu_fill_devicetree (void)
+ name[len] = 0;
+
+ curvalue = grub_xnu_create_value (curkey, name);
++ grub_free (name);
+ if (!curvalue)
+ return grub_errno;
+- grub_free (name);
+
+ data = grub_malloc (grub_strlen (var->value) + 1);
+ if (!data)
diff --git a/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
new file mode 100644
index 0000000000..f9ad0fc34c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
@@ -0,0 +1,77 @@
+From 81117a77a9e945ee5e7c1f12bd5667e2a16cbe32 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Mon, 30 Nov 2020 12:18:24 -0300
+Subject: [PATCH] loader/xnu: Free driverkey data when an error is detected in
+ grub_xnu_writetree_toheap()
+
+... to avoid memory leaks.
+
+Fixes: CID 96640
+
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4b4027b6b1c877d7ab467896b04c7bd1aadcfa15]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/xnu.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index b3029a8..39ceff8 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -224,26 +224,33 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
+ if (! memorymap)
+ return grub_errno;
+
+- driverkey = (struct grub_xnu_devtree_key *) grub_malloc (sizeof (*driverkey));
++ driverkey = (struct grub_xnu_devtree_key *) grub_zalloc (sizeof (*driverkey));
+ if (! driverkey)
+ return grub_errno;
+ driverkey->name = grub_strdup ("DeviceTree");
+ if (! driverkey->name)
+- return grub_errno;
++ {
++ err = grub_errno;
++ goto fail;
++ }
++
+ driverkey->datasize = sizeof (*extdesc);
+ driverkey->next = memorymap->first_child;
+ memorymap->first_child = driverkey;
+ driverkey->data = extdesc
+ = (struct grub_xnu_extdesc *) grub_malloc (sizeof (*extdesc));
+ if (! driverkey->data)
+- return grub_errno;
++ {
++ err = grub_errno;
++ goto fail;
++ }
+
+ /* Allocate the space based on the size with dummy value. */
+ *size = grub_xnu_writetree_get_size (grub_xnu_devtree_root, "/");
+ err = grub_xnu_heap_malloc (ALIGN_UP (*size + 1, GRUB_XNU_PAGESIZE),
+ &src, target);
+ if (err)
+- return err;
++ goto fail;
+
+ /* Put real data in the dummy. */
+ extdesc->addr = *target;
+@@ -252,6 +259,15 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
+ /* Write the tree to heap. */
+ grub_xnu_writetree_toheap_real (src, grub_xnu_devtree_root, "/");
+ return GRUB_ERR_NONE;
++
++ fail:
++ memorymap->first_child = NULL;
++
++ grub_free (driverkey->data);
++ grub_free (driverkey->name);
++ grub_free (driverkey);
++
++ return err;
+ }
+
+ /* Find a key or value in parent key. */
diff --git a/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch b/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch
new file mode 100644
index 0000000000..8081f7763a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0040-loader-xnu-Check-if-pointer-is-NULL-before-using-it.patch
@@ -0,0 +1,42 @@
+From 778a3fffd19229e5650a1abfb06c974949991cd4 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 30 Nov 2020 10:36:00 -0300
+Subject: [PATCH] loader/xnu: Check if pointer is NULL before using it
+
+Fixes: CID 73654
+
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7c8a2b5d1421a0f2a33d33531f7561f3da93b844]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/xnu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 39ceff8..adc048c 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -667,6 +667,9 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
+ char *name, *nameend;
+ int namelen;
+
++ if (infoplistname == NULL)
++ return grub_error (GRUB_ERR_BAD_FILENAME, N_("missing p-list filename"));
++
+ name = get_name_ptr (infoplistname);
+ nameend = grub_strchr (name, '/');
+
+@@ -698,10 +701,7 @@ grub_xnu_load_driver (char *infoplistname, grub_file_t binaryfile,
+ else
+ macho = 0;
+
+- if (infoplistname)
+- infoplist = grub_file_open (infoplistname, GRUB_FILE_TYPE_XNU_INFO_PLIST);
+- else
+- infoplist = 0;
++ infoplist = grub_file_open (infoplistname, GRUB_FILE_TYPE_XNU_INFO_PLIST);
+ grub_errno = GRUB_ERR_NONE;
+ if (infoplist)
+ {
diff --git a/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch b/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch
new file mode 100644
index 0000000000..ea563a41a0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0041-util-grub-install-Fix-NULL-pointer-dereferences.patch
@@ -0,0 +1,41 @@
+From 5d2dd0052474a882a22e47cc8c3ed87a01819f6b Mon Sep 17 00:00:00 2001
+From: Daniel Kiper <daniel.kiper@oracle.com>
+Date: Thu, 25 Feb 2021 18:35:01 +0100
+Subject: [PATCH] util/grub-install: Fix NULL pointer dereferences
+
+Two grub_device_open() calls does not have associated NULL checks
+for returned values. Fix that and appease the Coverity.
+
+Fixes: CID 314583
+
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8b3a95655b4391122e7b0315d8cc6f876caf8183]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ util/grub-install.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index a82725f..367350f 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -1775,6 +1775,8 @@ main (int argc, char *argv[])
+ fill_core_services (core_services);
+
+ ins_dev = grub_device_open (install_drive);
++ if (ins_dev == NULL)
++ grub_util_error ("%s", grub_errmsg);
+
+ bless (ins_dev, core_services, 0);
+
+@@ -1875,6 +1877,8 @@ main (int argc, char *argv[])
+ fill_core_services(core_services);
+
+ ins_dev = grub_device_open (install_drive);
++ if (ins_dev == NULL)
++ grub_util_error ("%s", grub_errmsg);
+
+ bless (ins_dev, boot_efi, 1);
+ if (!removable && update_nvram)
diff --git a/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch b/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch
new file mode 100644
index 0000000000..0cd8ec3611
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0042-util-grub-editenv-Fix-incorrect-casting-of-a-signed-.patch
@@ -0,0 +1,46 @@
+From 3d68daf2567aace4b52bd238cfd4a8111af3bc04 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 5 Nov 2020 14:33:50 +0000
+Subject: [PATCH] util/grub-editenv: Fix incorrect casting of a signed value
+
+The return value of ftell() may be negative (-1) on error. While it is
+probably unlikely to occur, we should not blindly cast to an unsigned
+value without first testing that it is not negative.
+
+Fixes: CID 73856
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5dc41edc4eba259c6043ae7698c245ec1baaacc6]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ util/grub-editenv.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/util/grub-editenv.c b/util/grub-editenv.c
+index f3662c9..db6f187 100644
+--- a/util/grub-editenv.c
++++ b/util/grub-editenv.c
+@@ -125,6 +125,7 @@ open_envblk_file (const char *name)
+ {
+ FILE *fp;
+ char *buf;
++ long loc;
+ size_t size;
+ grub_envblk_t envblk;
+
+@@ -143,7 +144,12 @@ open_envblk_file (const char *name)
+ grub_util_error (_("cannot seek `%s': %s"), name,
+ strerror (errno));
+
+- size = (size_t) ftell (fp);
++ loc = ftell (fp);
++ if (loc < 0)
++ grub_util_error (_("cannot get file location `%s': %s"), name,
++ strerror (errno));
++
++ size = (size_t) loc;
+
+ if (fseek (fp, 0, SEEK_SET) < 0)
+ grub_util_error (_("cannot seek `%s': %s"), name,
diff --git a/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch b/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch
new file mode 100644
index 0000000000..66d7c0aa42
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0043-util-glue-efi-Fix-incorrect-use-of-a-possibly-negati.patch
@@ -0,0 +1,50 @@
+From e301a0f38a2130eb80f346c31e43bf5089af583c Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Fri, 4 Dec 2020 15:04:28 +0000
+Subject: [PATCH] util/glue-efi: Fix incorrect use of a possibly negative value
+
+It is possible for the ftell() function to return a negative value,
+although it is fairly unlikely here, we should be checking for
+a negative value before we assign it to an unsigned value.
+
+Fixes: CID 73744
+
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=1641d74e16f9d1ca35ba1a87ee4a0bf3afa48e72]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ util/glue-efi.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/util/glue-efi.c b/util/glue-efi.c
+index 68f5316..de0fa6d 100644
+--- a/util/glue-efi.c
++++ b/util/glue-efi.c
+@@ -39,13 +39,23 @@ write_fat (FILE *in32, FILE *in64, FILE *out, const char *out_filename,
+ struct grub_macho_fat_header head;
+ struct grub_macho_fat_arch arch32, arch64;
+ grub_uint32_t size32, size64;
++ long size;
+ char *buf;
+
+ fseek (in32, 0, SEEK_END);
+- size32 = ftell (in32);
++ size = ftell (in32);
++ if (size < 0)
++ grub_util_error ("cannot get end of input file '%s': %s",
++ name32, strerror (errno));
++ size32 = (grub_uint32_t) size;
+ fseek (in32, 0, SEEK_SET);
++
+ fseek (in64, 0, SEEK_END);
+- size64 = ftell (in64);
++ size = ftell (in64);
++ if (size < 0)
++ grub_util_error ("cannot get end of input file '%s': %s",
++ name64, strerror (errno));
++ size64 = (grub_uint64_t) size;
+ fseek (in64, 0, SEEK_SET);
+
+ head.magic = grub_cpu_to_le32_compile_time (GRUB_MACHO_FAT_EFI_MAGIC);
diff --git a/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch b/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch
new file mode 100644
index 0000000000..b279222fff
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch
@@ -0,0 +1,28 @@
+From f5fb56954e5926ced42a980c3e0842ffd5fea2aa Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 3 Apr 2020 23:05:13 +1100
+Subject: [PATCH] script/execute: Fix NULL dereference in
+ grub_script_execute_cmdline()
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=41ae93b2e6c75453514629bcfe684300e3aec0ce]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/script/execute.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index 7e028e1..5ea2aef 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -940,7 +940,7 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd)
+ struct grub_script_argv argv = { 0, 0, 0 };
+
+ /* Lookup the command. */
+- if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args[0])
++ if (grub_script_arglist_to_argv (cmdline->arglist, &argv) || ! argv.args || ! argv.args[0])
+ return grub_errno;
+
+ for (i = 0; i < argv.argc; i++)
diff --git a/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch b/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch
new file mode 100644
index 0000000000..5a327fe1d2
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch
@@ -0,0 +1,33 @@
+From dd82f98fa642907817f59aeaf3761b786898df85 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 11 Jan 2021 16:57:37 +1100
+Subject: [PATCH] commands/ls: Require device_name is not NULL before printing
+
+This can be triggered with:
+ ls -l (0 0*)
+and causes a NULL deref in grub_normal_print_device_info().
+
+I'm not sure if there's any implication with the IEEE 1275 platform.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6afbe6063c95b827372f9ec310c9fc7461311eb1]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/ls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
+index 5b7491a..326d2d6 100644
+--- a/grub-core/commands/ls.c
++++ b/grub-core/commands/ls.c
+@@ -196,7 +196,7 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
+ goto fail;
+ }
+
+- if (! *path)
++ if (! *path && device_name)
+ {
+ if (grub_errno == GRUB_ERR_UNKNOWN_FS)
+ grub_errno = GRUB_ERR_NONE;
diff --git a/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch b/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch
new file mode 100644
index 0000000000..84117a9073
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0046-script-execute-Avoid-crash-when-using-outside-a-func.patch
@@ -0,0 +1,37 @@
+From df2505c4c3cf42b0c419c99a5f9e1ce63e5a5938 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Mon, 11 Jan 2021 17:30:42 +1100
+Subject: [PATCH] script/execute: Avoid crash when using "$#" outside a
+ function scope
+
+"$#" represents the number of arguments to a function. It is only
+defined in a function scope, where "scope" is non-NULL. Currently,
+if we attempt to evaluate "$#" outside a function scope, "scope" will
+be NULL and we will crash with a NULL pointer dereference.
+
+Do not attempt to count arguments for "$#" if "scope" is NULL. This
+will result in "$#" being interpreted as an empty string if evaluated
+outside a function scope.
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=fe0586347ee46f927ae27bb9673532da9f5dead5]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/script/execute.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index 5ea2aef..23d34bd 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -485,7 +485,7 @@ gettext_putvar (const char *str, grub_size_t len,
+ return 0;
+
+ /* Enough for any number. */
+- if (len == 1 && str[0] == '#')
++ if (len == 1 && str[0] == '#' && scope != NULL)
+ {
+ grub_snprintf (*ptr, 30, "%u", scope->argv.argc);
+ *ptr += grub_strlen (*ptr);
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-10713.patch b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
new file mode 100644
index 0000000000..c507ed3ea8
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
@@ -0,0 +1,73 @@
+From a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 15 Apr 2020 15:45:02 -0400
+Subject: yylex: Make lexer fatal errors actually be fatal
+
+When presented with a command that can't be tokenized to anything
+smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
+expecting that will stop further processing, as such:
+
+ #define YY_DO_BEFORE_ACTION \
+ yyg->yytext_ptr = yy_bp; \
+ yyleng = (int) (yy_cp - yy_bp); \
+ yyg->yy_hold_char = *yy_cp; \
+ *yy_cp = '\0'; \
+ if ( yyleng >= YYLMAX ) \
+ YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
+ yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
+ yyg->yy_c_buf_p = yy_cp;
+
+The code flex generates expects that YY_FATAL_ERROR() will either return
+for it or do some form of longjmp(), or handle the error in some way at
+least, and so the strncpy() call isn't in an "else" clause, and thus if
+YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
+questionable limit, and predictable results ensue.
+
+Unfortunately, our implementation of YY_FATAL_ERROR() is:
+
+ #define YY_FATAL_ERROR(msg) \
+ do { \
+ grub_printf (_("fatal error: %s\n"), _(msg)); \
+ } while (0)
+
+The same pattern exists in yyless(), and similar problems exist in users
+of YY_INPUT(), several places in the main parsing loop,
+yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
+yy_scan_buffer(), etc.
+
+All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
+the things they do if it returns after calling it are wildly unsafe.
+
+Fixes: CVE-2020-10713
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e]
+CVE: CVE-2020-10713
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ grub-core/script/yylex.l | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
+index 7b44c37b7..b7203c823 100644
+--- a/grub-core/script/yylex.l
++++ b/grub-core/script/yylex.l
+@@ -37,11 +37,11 @@
+
+ /*
+ * As we don't have access to yyscanner, we cannot do much except to
+- * print the fatal error.
++ * print the fatal error and exit.
+ */
+ #define YY_FATAL_ERROR(msg) \
+ do { \
+- grub_printf (_("fatal error: %s\n"), _(msg)); \
++ grub_fatal (_("fatal error: %s\n"), _(msg));\
+ } while (0)
+
+ #define COPY(str, hint) \
+--
+cgit v1.2.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch b/meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch
new file mode 100644
index 0000000000..637e368cb0
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14308-calloc-Use-calloc-at-most-places.patch
@@ -0,0 +1,1863 @@
+From bcdd6a55952222ec9829a59348240a4f983b0b56 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 12:26:01 -0400
+Subject: [PATCH 4/9] calloc: Use calloc() at most places
+
+This modifies most of the places we do some form of:
+
+ X = malloc(Y * Z);
+
+to use calloc(Y, Z) instead.
+
+Among other issues, this fixes:
+ - allocation of integer overflow in grub_png_decode_image_header()
+ reported by Chris Coulson,
+ - allocation of integer overflow in luks_recover_key()
+ reported by Chris Coulson,
+ - allocation of integer overflow in grub_lvm_detect()
+ reported by Chris Coulson.
+
+Fixes: CVE-2020-14308
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-14308
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f725fa7cb2ece547c5af01eeeecfe8d95802ed41
+
+[YL: don't patch on grub-core/lib/json/json.c, which is not existing in grub 2.04]
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/bus/usb/usbhub.c | 8 ++++----
+ grub-core/commands/efi/lsefisystab.c | 3 ++-
+ grub-core/commands/legacycfg.c | 6 +++---
+ grub-core/commands/menuentry.c | 2 +-
+ grub-core/commands/nativedisk.c | 2 +-
+ grub-core/commands/parttool.c | 12 +++++++++---
+ grub-core/commands/regexp.c | 2 +-
+ grub-core/commands/search_wrap.c | 2 +-
+ grub-core/disk/diskfilter.c | 4 ++--
+ grub-core/disk/ieee1275/ofdisk.c | 2 +-
+ grub-core/disk/ldm.c | 14 +++++++-------
+ grub-core/disk/luks.c | 2 +-
+ grub-core/disk/lvm.c | 12 ++++++------
+ grub-core/disk/xen/xendisk.c | 2 +-
+ grub-core/efiemu/loadcore.c | 2 +-
+ grub-core/efiemu/mm.c | 6 +++---
+ grub-core/font/font.c | 3 +--
+ grub-core/fs/affs.c | 6 +++---
+ grub-core/fs/btrfs.c | 6 +++---
+ grub-core/fs/hfs.c | 2 +-
+ grub-core/fs/hfsplus.c | 6 +++---
+ grub-core/fs/iso9660.c | 2 +-
+ grub-core/fs/ntfs.c | 4 ++--
+ grub-core/fs/sfs.c | 2 +-
+ grub-core/fs/tar.c | 2 +-
+ grub-core/fs/udf.c | 4 ++--
+ grub-core/fs/zfs/zfs.c | 4 ++--
+ grub-core/gfxmenu/gui_string_util.c | 2 +-
+ grub-core/gfxmenu/widget-box.c | 4 ++--
+ grub-core/io/gzio.c | 2 +-
+ grub-core/kern/efi/efi.c | 6 +++---
+ grub-core/kern/emu/hostdisk.c | 2 +-
+ grub-core/kern/fs.c | 2 +-
+ grub-core/kern/misc.c | 2 +-
+ grub-core/kern/parser.c | 2 +-
+ grub-core/kern/uboot/uboot.c | 2 +-
+ grub-core/lib/libgcrypt/cipher/ac.c | 8 ++++----
+ grub-core/lib/libgcrypt/cipher/primegen.c | 4 ++--
+ grub-core/lib/libgcrypt/cipher/pubkey.c | 4 ++--
+ grub-core/lib/priority_queue.c | 2 +-
+ grub-core/lib/reed_solomon.c | 7 +++----
+ grub-core/lib/relocator.c | 10 +++++-----
+ grub-core/lib/zstd/fse_decompress.c | 2 +-
+ grub-core/loader/arm/linux.c | 2 +-
+ grub-core/loader/efi/chainloader.c | 2 +-
+ grub-core/loader/i386/bsdXX.c | 2 +-
+ grub-core/loader/i386/xnu.c | 4 ++--
+ grub-core/loader/macho.c | 2 +-
+ grub-core/loader/multiboot_elfxx.c | 2 +-
+ grub-core/loader/xnu.c | 2 +-
+ grub-core/mmap/mmap.c | 4 ++--
+ grub-core/net/bootp.c | 2 +-
+ grub-core/net/dns.c | 10 +++++-----
+ grub-core/net/net.c | 4 ++--
+ grub-core/normal/charset.c | 10 +++++-----
+ grub-core/normal/cmdline.c | 14 +++++++-------
+ grub-core/normal/menu_entry.c | 14 +++++++-------
+ grub-core/normal/menu_text.c | 4 ++--
+ grub-core/normal/term.c | 4 ++--
+ grub-core/osdep/linux/getroot.c | 6 +++---
+ grub-core/osdep/unix/config.c | 2 +-
+ grub-core/osdep/windows/getroot.c | 2 +-
+ grub-core/osdep/windows/hostdisk.c | 4 ++--
+ grub-core/osdep/windows/init.c | 2 +-
+ grub-core/osdep/windows/platform.c | 4 ++--
+ grub-core/osdep/windows/relpath.c | 2 +-
+ grub-core/partmap/gpt.c | 2 +-
+ grub-core/partmap/msdos.c | 2 +-
+ grub-core/script/execute.c | 2 +-
+ grub-core/tests/fake_input.c | 2 +-
+ grub-core/tests/video_checksum.c | 6 +++---
+ grub-core/video/capture.c | 2 +-
+ grub-core/video/emu/sdl.c | 2 +-
+ grub-core/video/i386/pc/vga.c | 2 +-
+ grub-core/video/readers/png.c | 2 +-
+ include/grub/unicode.h | 4 ++--
+ util/getroot.c | 2 +-
+ util/grub-file.c | 2 +-
+ util/grub-fstest.c | 4 ++--
+ util/grub-install-common.c | 2 +-
+ util/grub-install.c | 4 ++--
+ util/grub-mkimagexx.c | 6 ++----
+ util/grub-mkrescue.c | 4 ++--
+ util/grub-mkstandalone.c | 2 +-
+ util/grub-pe2elf.c | 12 +++++-------
+ util/grub-probe.c | 4 ++--
+ 86 files changed, 178 insertions(+), 177 deletions(-)
+
+diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c
+index 34a7ff1..a06cce3 100644
+--- a/grub-core/bus/usb/usbhub.c
++++ b/grub-core/bus/usb/usbhub.c
+@@ -149,8 +149,8 @@ grub_usb_add_hub (grub_usb_device_t dev)
+ grub_usb_set_configuration (dev, 1);
+
+ dev->nports = hubdesc.portcnt;
+- dev->children = grub_zalloc (hubdesc.portcnt * sizeof (dev->children[0]));
+- dev->ports = grub_zalloc (dev->nports * sizeof (dev->ports[0]));
++ dev->children = grub_calloc (hubdesc.portcnt, sizeof (dev->children[0]));
++ dev->ports = grub_calloc (dev->nports, sizeof (dev->ports[0]));
+ if (!dev->children || !dev->ports)
+ {
+ grub_free (dev->children);
+@@ -268,8 +268,8 @@ grub_usb_controller_dev_register_iter (grub_usb_controller_t controller, void *d
+
+ /* Query the number of ports the root Hub has. */
+ hub->nports = controller->dev->hubports (controller);
+- hub->devices = grub_zalloc (sizeof (hub->devices[0]) * hub->nports);
+- hub->ports = grub_zalloc (sizeof (hub->ports[0]) * hub->nports);
++ hub->devices = grub_calloc (hub->nports, sizeof (hub->devices[0]));
++ hub->ports = grub_calloc (hub->nports, sizeof (hub->ports[0]));
+ if (!hub->devices || !hub->ports)
+ {
+ grub_free (hub->devices);
+diff --git a/grub-core/commands/efi/lsefisystab.c b/grub-core/commands/efi/lsefisystab.c
+index df10302..cd81507 100644
+--- a/grub-core/commands/efi/lsefisystab.c
++++ b/grub-core/commands/efi/lsefisystab.c
+@@ -71,7 +71,8 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),
+ grub_printf ("Vendor: ");
+
+ for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++);
+- vendor = grub_malloc (4 * (vendor_utf16 - st->firmware_vendor) + 1);
++ /* Allocate extra 3 bytes to simplify math. */
++ vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1);
+ if (!vendor)
+ return grub_errno;
+ *grub_utf16_to_utf8 ((grub_uint8_t *) vendor, st->firmware_vendor,
+diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
+index db7a8f0..5e3ec0d 100644
+--- a/grub-core/commands/legacycfg.c
++++ b/grub-core/commands/legacycfg.c
+@@ -314,7 +314,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
+ if (argc < 2)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+
+- cutargs = grub_malloc (sizeof (cutargs[0]) * (argc - 1));
++ cutargs = grub_calloc (argc - 1, sizeof (cutargs[0]));
+ if (!cutargs)
+ return grub_errno;
+ cutargc = argc - 1;
+@@ -436,7 +436,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
+ {
+ char rbuf[3] = "-r";
+ bsdargc = cutargc + 2;
+- bsdargs = grub_malloc (sizeof (bsdargs[0]) * bsdargc);
++ bsdargs = grub_calloc (bsdargc, sizeof (bsdargs[0]));
+ if (!bsdargs)
+ {
+ err = grub_errno;
+@@ -559,7 +559,7 @@ grub_cmd_legacy_initrdnounzip (struct grub_command *mycmd __attribute__ ((unused
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("can't find command `%s'"),
+ "module");
+
+- newargs = grub_malloc ((argc + 1) * sizeof (newargs[0]));
++ newargs = grub_calloc (argc + 1, sizeof (newargs[0]));
+ if (!newargs)
+ return grub_errno;
+ grub_memcpy (newargs + 1, args, argc * sizeof (newargs[0]));
+diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
+index 2c5363d..9164df7 100644
+--- a/grub-core/commands/menuentry.c
++++ b/grub-core/commands/menuentry.c
+@@ -154,7 +154,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
+ goto fail;
+
+ /* Save argc, args to pass as parameters to block arg later. */
+- menu_args = grub_malloc (sizeof (char*) * (argc + 1));
++ menu_args = grub_calloc (argc + 1, sizeof (char *));
+ if (! menu_args)
+ goto fail;
+
+diff --git a/grub-core/commands/nativedisk.c b/grub-core/commands/nativedisk.c
+index 699447d..7c8f97f 100644
+--- a/grub-core/commands/nativedisk.c
++++ b/grub-core/commands/nativedisk.c
+@@ -195,7 +195,7 @@ grub_cmd_nativedisk (grub_command_t cmd __attribute__ ((unused)),
+ else
+ path_prefix = prefix;
+
+- mods = grub_malloc (argc * sizeof (mods[0]));
++ mods = grub_calloc (argc, sizeof (mods[0]));
+ if (!mods)
+ return grub_errno;
+
+diff --git a/grub-core/commands/parttool.c b/grub-core/commands/parttool.c
+index 22b46b1..051e313 100644
+--- a/grub-core/commands/parttool.c
++++ b/grub-core/commands/parttool.c
+@@ -59,7 +59,13 @@ grub_parttool_register(const char *part_name,
+ for (nargs = 0; args[nargs].name != 0; nargs++);
+ cur->nargs = nargs;
+ cur->args = (struct grub_parttool_argdesc *)
+- grub_malloc ((nargs + 1) * sizeof (struct grub_parttool_argdesc));
++ grub_calloc (nargs + 1, sizeof (struct grub_parttool_argdesc));
++ if (!cur->args)
++ {
++ grub_free (cur);
++ curhandle--;
++ return -1;
++ }
+ grub_memcpy (cur->args, args,
+ (nargs + 1) * sizeof (struct grub_parttool_argdesc));
+
+@@ -257,7 +263,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
+ return err;
+ }
+
+- parsed = (int *) grub_zalloc (argc * sizeof (int));
++ parsed = (int *) grub_calloc (argc, sizeof (int));
+
+ for (i = 1; i < argc; i++)
+ if (! parsed[i])
+@@ -290,7 +296,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
+ }
+ ptool = cur;
+ pargs = (struct grub_parttool_args *)
+- grub_zalloc (ptool->nargs * sizeof (struct grub_parttool_args));
++ grub_calloc (ptool->nargs, sizeof (struct grub_parttool_args));
+ for (j = i; j < argc; j++)
+ if (! parsed[j])
+ {
+diff --git a/grub-core/commands/regexp.c b/grub-core/commands/regexp.c
+index f00b184..4019164 100644
+--- a/grub-core/commands/regexp.c
++++ b/grub-core/commands/regexp.c
+@@ -116,7 +116,7 @@ grub_cmd_regexp (grub_extcmd_context_t ctxt, int argc, char **args)
+ if (ret)
+ goto fail;
+
+- matches = grub_zalloc (sizeof (*matches) * (regex.re_nsub + 1));
++ matches = grub_calloc (regex.re_nsub + 1, sizeof (*matches));
+ if (! matches)
+ goto fail;
+
+diff --git a/grub-core/commands/search_wrap.c b/grub-core/commands/search_wrap.c
+index d7fd26b..47fc8eb 100644
+--- a/grub-core/commands/search_wrap.c
++++ b/grub-core/commands/search_wrap.c
+@@ -122,7 +122,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
+ for (i = 0; state[SEARCH_HINT_BAREMETAL].args[i]; i++)
+ nhints++;
+
+- hints = grub_malloc (sizeof (hints[0]) * nhints);
++ hints = grub_calloc (nhints, sizeof (hints[0]));
+ if (!hints)
+ return grub_errno;
+ j = 0;
+diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
+index c3b578a..68ca9e0 100644
+--- a/grub-core/disk/diskfilter.c
++++ b/grub-core/disk/diskfilter.c
+@@ -1134,7 +1134,7 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
+ array->lvs->segments->node_count = nmemb;
+ array->lvs->segments->raid_member_size = disk_size;
+ array->lvs->segments->nodes
+- = grub_zalloc (nmemb * sizeof (array->lvs->segments->nodes[0]));
++ = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0]));
+ array->lvs->segments->stripe_size = stripe_size;
+ for (i = 0; i < nmemb; i++)
+ {
+@@ -1226,7 +1226,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id,
+ grub_partition_t p;
+ for (p = disk->partition; p; p = p->parent)
+ s++;
+- pv->partmaps = xmalloc (s * sizeof (pv->partmaps[0]));
++ pv->partmaps = xcalloc (s, sizeof (pv->partmaps[0]));
+ s = 0;
+ for (p = disk->partition; p; p = p->parent)
+ pv->partmaps[s++] = xstrdup (p->partmap->name);
+diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c
+index f73257e..03674cb 100644
+--- a/grub-core/disk/ieee1275/ofdisk.c
++++ b/grub-core/disk/ieee1275/ofdisk.c
+@@ -297,7 +297,7 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
+ /* Power machines documentation specify 672 as maximum SAS disks in
+ one system. Using a slightly larger value to be safe. */
+ table_size = 768;
+- table = grub_malloc (table_size * sizeof (grub_uint64_t));
++ table = grub_calloc (table_size, sizeof (grub_uint64_t));
+
+ if (!table)
+ {
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 2a22d2d..e632370 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -323,8 +323,8 @@ make_vg (grub_disk_t disk,
+ lv->segments->type = GRUB_DISKFILTER_MIRROR;
+ lv->segments->node_count = 0;
+ lv->segments->node_alloc = 8;
+- lv->segments->nodes = grub_zalloc (sizeof (*lv->segments->nodes)
+- * lv->segments->node_alloc);
++ lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
++ sizeof (*lv->segments->nodes));
+ if (!lv->segments->nodes)
+ goto fail2;
+ ptr = vblk[i].dynamic;
+@@ -543,8 +543,8 @@ make_vg (grub_disk_t disk,
+ {
+ comp->segment_alloc = 8;
+ comp->segment_count = 0;
+- comp->segments = grub_malloc (sizeof (*comp->segments)
+- * comp->segment_alloc);
++ comp->segments = grub_calloc (comp->segment_alloc,
++ sizeof (*comp->segments));
+ if (!comp->segments)
+ goto fail2;
+ }
+@@ -590,8 +590,8 @@ make_vg (grub_disk_t disk,
+ }
+ comp->segments->node_count = read_int (ptr + 1, *ptr);
+ comp->segments->node_alloc = comp->segments->node_count;
+- comp->segments->nodes = grub_zalloc (sizeof (*comp->segments->nodes)
+- * comp->segments->node_alloc);
++ comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
++ sizeof (*comp->segments->nodes));
+ if (!lv->segments->nodes)
+ goto fail2;
+ }
+@@ -1017,7 +1017,7 @@ grub_util_ldm_embed (struct grub_disk *disk, unsigned int *nsectors,
+ *nsectors = lv->size;
+ if (*nsectors > max_nsectors)
+ *nsectors = max_nsectors;
+- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
++ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
+ if (!*sectors)
+ return grub_errno;
+ for (i = 0; i < *nsectors; i++)
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 86c50c6..18b3a8b 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -336,7 +336,7 @@ luks_recover_key (grub_disk_t source,
+ && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
+ max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
+
+- split_key = grub_malloc (keysize * max_stripes);
++ split_key = grub_calloc (keysize, max_stripes);
+ if (!split_key)
+ return grub_errno;
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index dc6b83b..7b5fbbc 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -209,7 +209,7 @@ grub_lvm_detect (grub_disk_t disk,
+ first one. */
+
+ /* Allocate buffer space for the circular worst-case scenario. */
+- metadatabuf = grub_malloc (2 * mda_size);
++ metadatabuf = grub_calloc (2, mda_size);
+ if (! metadatabuf)
+ goto fail;
+
+@@ -464,7 +464,7 @@ grub_lvm_detect (grub_disk_t disk,
+ #endif
+ goto lvs_fail;
+ }
+- lv->segments = grub_zalloc (sizeof (*seg) * lv->segment_count);
++ lv->segments = grub_calloc (lv->segment_count, sizeof (*seg));
+ seg = lv->segments;
+
+ for (i = 0; i < lv->segment_count; i++)
+@@ -521,8 +521,8 @@ grub_lvm_detect (grub_disk_t disk,
+ if (seg->node_count != 1)
+ seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = ");
+
+- seg->nodes = grub_zalloc (sizeof (*stripe)
+- * seg->node_count);
++ seg->nodes = grub_calloc (seg->node_count,
++ sizeof (*stripe));
+ stripe = seg->nodes;
+
+ p = grub_strstr (p, "stripes = [");
+@@ -898,7 +898,7 @@ grub_lvm_detect (grub_disk_t disk,
+ break;
+ if (lv)
+ {
+- cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments));
++ cache->lv->segments = grub_calloc (lv->segment_count, sizeof (*lv->segments));
+ if (!cache->lv->segments)
+ {
+ grub_lvm_free_cache_lvs (cache_lvs);
+@@ -911,7 +911,7 @@ grub_lvm_detect (grub_disk_t disk,
+ struct grub_diskfilter_node *nodes = lv->segments[i].nodes;
+ grub_size_t node_count = lv->segments[i].node_count;
+
+- cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes));
++ cache->lv->segments[i].nodes = grub_calloc (node_count, sizeof (*nodes));
+ if (!cache->lv->segments[i].nodes)
+ {
+ for (j = 0; j < i; ++j)
+diff --git a/grub-core/disk/xen/xendisk.c b/grub-core/disk/xen/xendisk.c
+index 48476cb..d6612ee 100644
+--- a/grub-core/disk/xen/xendisk.c
++++ b/grub-core/disk/xen/xendisk.c
+@@ -426,7 +426,7 @@ grub_xendisk_init (void)
+ if (!ctr)
+ return;
+
+- virtdisks = grub_malloc (ctr * sizeof (virtdisks[0]));
++ virtdisks = grub_calloc (ctr, sizeof (virtdisks[0]));
+ if (!virtdisks)
+ return;
+ if (grub_xenstore_dir ("device/vbd", fill, &ctr))
+diff --git a/grub-core/efiemu/loadcore.c b/grub-core/efiemu/loadcore.c
+index 44085ef..2b92462 100644
+--- a/grub-core/efiemu/loadcore.c
++++ b/grub-core/efiemu/loadcore.c
+@@ -201,7 +201,7 @@ grub_efiemu_count_symbols (const Elf_Ehdr *e)
+
+ grub_efiemu_nelfsyms = (unsigned) s->sh_size / (unsigned) s->sh_entsize;
+ grub_efiemu_elfsyms = (struct grub_efiemu_elf_sym *)
+- grub_malloc (sizeof (struct grub_efiemu_elf_sym) * grub_efiemu_nelfsyms);
++ grub_calloc (grub_efiemu_nelfsyms, sizeof (struct grub_efiemu_elf_sym));
+
+ /* Relocators */
+ for (i = 0, s = (Elf_Shdr *) ((char *) e + e->e_shoff);
+diff --git a/grub-core/efiemu/mm.c b/grub-core/efiemu/mm.c
+index 52a032f..9b8e0d0 100644
+--- a/grub-core/efiemu/mm.c
++++ b/grub-core/efiemu/mm.c
+@@ -554,11 +554,11 @@ grub_efiemu_mmap_sort_and_uniq (void)
+ /* Initialize variables*/
+ grub_memset (present, 0, sizeof (int) * GRUB_EFI_MAX_MEMORY_TYPE);
+ scanline_events = (struct grub_efiemu_mmap_scan *)
+- grub_malloc (sizeof (struct grub_efiemu_mmap_scan) * 2 * mmap_num);
++ grub_calloc (mmap_num, sizeof (struct grub_efiemu_mmap_scan) * 2);
+
+ /* Number of chunks can't increase more than by factor of 2 */
+ result = (grub_efi_memory_descriptor_t *)
+- grub_malloc (sizeof (grub_efi_memory_descriptor_t) * 2 * mmap_num);
++ grub_calloc (mmap_num, sizeof (grub_efi_memory_descriptor_t) * 2);
+ if (!result || !scanline_events)
+ {
+ grub_free (result);
+@@ -660,7 +660,7 @@ grub_efiemu_mm_do_alloc (void)
+
+ /* Preallocate mmap */
+ efiemu_mmap = (grub_efi_memory_descriptor_t *)
+- grub_malloc (mmap_reserved_size * sizeof (grub_efi_memory_descriptor_t));
++ grub_calloc (mmap_reserved_size, sizeof (grub_efi_memory_descriptor_t));
+ if (!efiemu_mmap)
+ {
+ grub_efiemu_unload ();
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 85a2925..8e118b3 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -293,8 +293,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
+ font->num_chars = sect_length / FONT_CHAR_INDEX_ENTRY_SIZE;
+
+ /* Allocate the character index array. */
+- font->char_index = grub_malloc (font->num_chars
+- * sizeof (struct char_index_entry));
++ font->char_index = grub_calloc (font->num_chars, sizeof (struct char_index_entry));
+ if (!font->char_index)
+ return 1;
+ font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index 6b6a2bc..220b371 100644
+--- a/grub-core/fs/affs.c
++++ b/grub-core/fs/affs.c
+@@ -301,7 +301,7 @@ grub_affs_read_symlink (grub_fshelp_node_t node)
+ return 0;
+ }
+ latin1[symlink_size] = 0;
+- utf8 = grub_malloc (symlink_size * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++ utf8 = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, symlink_size);
+ if (!utf8)
+ {
+ grub_free (latin1);
+@@ -422,7 +422,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ return 1;
+ }
+
+- hashtable = grub_zalloc (data->htsize * sizeof (*hashtable));
++ hashtable = grub_calloc (data->htsize, sizeof (*hashtable));
+ if (!hashtable)
+ return 1;
+
+@@ -628,7 +628,7 @@ grub_affs_label (grub_device_t device, char **label)
+ len = file.namelen;
+ if (len > sizeof (file.name))
+ len = sizeof (file.name);
+- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++ *label = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, len);
+ if (*label)
+ *grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0';
+ }
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 48bd3d0..11272ef 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -413,7 +413,7 @@ lower_bound (struct grub_btrfs_data *data,
+ {
+ desc->allocated = 16;
+ desc->depth = 0;
+- desc->data = grub_malloc (sizeof (desc->data[0]) * desc->allocated);
++ desc->data = grub_calloc (desc->allocated, sizeof (desc->data[0]));
+ if (!desc->data)
+ return grub_errno;
+ }
+@@ -752,7 +752,7 @@ raid56_read_retry (struct grub_btrfs_data *data,
+ grub_err_t ret = GRUB_ERR_OUT_OF_MEMORY;
+ grub_uint64_t i, failed_devices;
+
+- buffers = grub_zalloc (sizeof(*buffers) * nstripes);
++ buffers = grub_calloc (nstripes, sizeof (*buffers));
+ if (!buffers)
+ goto cleanup;
+
+@@ -2160,7 +2160,7 @@ grub_btrfs_embed (grub_device_t device __attribute__ ((unused)),
+ *nsectors = 64 * 2 - 1;
+ if (*nsectors > max_nsectors)
+ *nsectors = max_nsectors;
+- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
++ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
+ if (!*sectors)
+ return grub_errno;
+ for (i = 0; i < *nsectors; i++)
+diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
+index ac0a409..3fe842b 100644
+--- a/grub-core/fs/hfs.c
++++ b/grub-core/fs/hfs.c
+@@ -1360,7 +1360,7 @@ grub_hfs_label (grub_device_t device, char **label)
+ grub_size_t len = data->sblock.volname[0];
+ if (len > sizeof (data->sblock.volname) - 1)
+ len = sizeof (data->sblock.volname) - 1;
+- *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1);
++ *label = grub_calloc (MAX_UTF8_PER_MAC_ROMAN + 1, len);
+ if (*label)
+ macroman_to_utf8 (*label, data->sblock.volname + 1,
+ len + 1, 0);
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index 54786bb..dae43be 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -720,7 +720,7 @@ list_nodes (void *record, void *hook_arg)
+ if (! filename)
+ return 0;
+
+- keyname = grub_malloc (grub_be_to_cpu16 (catkey->namelen) * sizeof (*keyname));
++ keyname = grub_calloc (grub_be_to_cpu16 (catkey->namelen), sizeof (*keyname));
+ if (!keyname)
+ {
+ grub_free (filename);
+@@ -1007,7 +1007,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
+ grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
+
+ label_len = grub_be_to_cpu16 (catkey->namelen);
+- label_name = grub_malloc (label_len * sizeof (*label_name));
++ label_name = grub_calloc (label_len, sizeof (*label_name));
+ if (!label_name)
+ {
+ grub_free (node);
+@@ -1029,7 +1029,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
+ }
+ }
+
+- *label = grub_malloc (label_len * GRUB_MAX_UTF8_PER_UTF16 + 1);
++ *label = grub_calloc (label_len, GRUB_MAX_UTF8_PER_UTF16 + 1);
+ if (! *label)
+ {
+ grub_free (label_name);
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 49c0c63..4f1b52a 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -331,7 +331,7 @@ grub_iso9660_convert_string (grub_uint8_t *us, int len)
+ int i;
+ grub_uint16_t t[MAX_NAMELEN / 2 + 1];
+
+- p = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1);
++ p = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1);
+ if (! p)
+ return NULL;
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index fc4e1f6..2f34f76 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -556,8 +556,8 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
+ grub_uint16_t *tmp;
+ grub_size_t i;
+
+- buf = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1);
+- tmp = grub_malloc (len * sizeof (tmp[0]));
++ buf = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1);
++ tmp = grub_calloc (len, sizeof (tmp[0]));
+ if (!buf || !tmp)
+ {
+ grub_free (buf);
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 50c1fe7..90f7fb3 100644
+--- a/grub-core/fs/sfs.c
++++ b/grub-core/fs/sfs.c
+@@ -266,7 +266,7 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+ node->next_extent = node->block;
+ node->cache_size = 0;
+
+- node->cache = grub_malloc (sizeof (node->cache[0]) * cache_size);
++ node->cache = grub_calloc (cache_size, sizeof (node->cache[0]));
+ if (!node->cache)
+ {
+ grub_errno = 0;
+diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
+index 7d63e0c..c551ed6 100644
+--- a/grub-core/fs/tar.c
++++ b/grub-core/fs/tar.c
+@@ -120,7 +120,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ if (data->linkname_alloc < linksize + 1)
+ {
+ char *n;
+- n = grub_malloc (2 * (linksize + 1));
++ n = grub_calloc (2, linksize + 1);
+ if (!n)
+ return grub_errno;
+ grub_free (data->linkname);
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index dc8b6e2..a837616 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -873,7 +873,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
+ {
+ unsigned i;
+ utf16len = sz - 1;
+- utf16 = grub_malloc (utf16len * sizeof (utf16[0]));
++ utf16 = grub_calloc (utf16len, sizeof (utf16[0]));
+ if (!utf16)
+ return NULL;
+ for (i = 0; i < utf16len; i++)
+@@ -883,7 +883,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
+ {
+ unsigned i;
+ utf16len = (sz - 1) / 2;
+- utf16 = grub_malloc (utf16len * sizeof (utf16[0]));
++ utf16 = grub_calloc (utf16len, sizeof (utf16[0]));
+ if (!utf16)
+ return NULL;
+ for (i = 0; i < utf16len; i++)
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 2f72e42..381dde5 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -3325,7 +3325,7 @@ dnode_get_fullpath (const char *fullpath, struct subvolume *subvol,
+ }
+ subvol->nkeys = 0;
+ zap_iterate (&keychain_dn, 8, count_zap_keys, &ctx, data);
+- subvol->keyring = grub_zalloc (subvol->nkeys * sizeof (subvol->keyring[0]));
++ subvol->keyring = grub_calloc (subvol->nkeys, sizeof (subvol->keyring[0]));
+ if (!subvol->keyring)
+ {
+ grub_free (fsname);
+@@ -4336,7 +4336,7 @@ grub_zfs_embed (grub_device_t device __attribute__ ((unused)),
+ *nsectors = (VDEV_BOOT_SIZE >> GRUB_DISK_SECTOR_BITS);
+ if (*nsectors > max_nsectors)
+ *nsectors = max_nsectors;
+- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
++ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
+ if (!*sectors)
+ return grub_errno;
+ for (i = 0; i < *nsectors; i++)
+diff --git a/grub-core/gfxmenu/gui_string_util.c b/grub-core/gfxmenu/gui_string_util.c
+index a9a415e..ba1e1ea 100644
+--- a/grub-core/gfxmenu/gui_string_util.c
++++ b/grub-core/gfxmenu/gui_string_util.c
+@@ -55,7 +55,7 @@ canonicalize_path (const char *path)
+ if (*p == '/')
+ components++;
+
+- char **path_array = grub_malloc (components * sizeof (*path_array));
++ char **path_array = grub_calloc (components, sizeof (*path_array));
+ if (! path_array)
+ return 0;
+
+diff --git a/grub-core/gfxmenu/widget-box.c b/grub-core/gfxmenu/widget-box.c
+index b606028..470597d 100644
+--- a/grub-core/gfxmenu/widget-box.c
++++ b/grub-core/gfxmenu/widget-box.c
+@@ -303,10 +303,10 @@ grub_gfxmenu_create_box (const char *pixmaps_prefix,
+ box->content_height = 0;
+ box->raw_pixmaps =
+ (struct grub_video_bitmap **)
+- grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *));
++ grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *));
+ box->scaled_pixmaps =
+ (struct grub_video_bitmap **)
+- grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *));
++ grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *));
+
+ /* Initialize all pixmap pointers to NULL so that proper destruction can
+ be performed if an error is encountered partway through construction. */
+diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
+index 6208a97..43d98a7 100644
+--- a/grub-core/io/gzio.c
++++ b/grub-core/io/gzio.c
+@@ -554,7 +554,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */
+ z = 1 << j; /* table entries for j-bit table */
+
+ /* allocate and link in new table */
+- q = (struct huft *) grub_zalloc ((z + 1) * sizeof (struct huft));
++ q = (struct huft *) grub_calloc (z + 1, sizeof (struct huft));
+ if (! q)
+ {
+ if (h)
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 6e1ceb9..dc31caa 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -202,7 +202,7 @@ grub_efi_set_variable(const char *var, const grub_efi_guid_t *guid,
+
+ len = grub_strlen (var);
+ len16 = len * GRUB_MAX_UTF16_PER_UTF8;
+- var16 = grub_malloc ((len16 + 1) * sizeof (var16[0]));
++ var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
+ if (!var16)
+ return grub_errno;
+ len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
+@@ -237,7 +237,7 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+
+ len = grub_strlen (var);
+ len16 = len * GRUB_MAX_UTF16_PER_UTF8;
+- var16 = grub_malloc ((len16 + 1) * sizeof (var16[0]));
++ var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
+ if (!var16)
+ return NULL;
+ len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
+@@ -383,7 +383,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ while (len > 0 && fp->path_name[len - 1] == 0)
+ len--;
+
+- dup_name = grub_malloc (len * sizeof (*dup_name));
++ dup_name = grub_calloc (len, sizeof (*dup_name));
+ if (!dup_name)
+ {
+ grub_free (name);
+diff --git a/grub-core/kern/emu/hostdisk.c b/grub-core/kern/emu/hostdisk.c
+index e9ec680..d975265 100644
+--- a/grub-core/kern/emu/hostdisk.c
++++ b/grub-core/kern/emu/hostdisk.c
+@@ -615,7 +615,7 @@ static char *
+ grub_util_path_concat_real (size_t n, int ext, va_list ap)
+ {
+ size_t totlen = 0;
+- char **l = xmalloc ((n + ext) * sizeof (l[0]));
++ char **l = xcalloc (n + ext, sizeof (l[0]));
+ char *r, *p, *pi;
+ size_t i;
+ int first = 1;
+diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c
+index 2b85f49..f90be65 100644
+--- a/grub-core/kern/fs.c
++++ b/grub-core/kern/fs.c
+@@ -151,7 +151,7 @@ grub_fs_blocklist_open (grub_file_t file, const char *name)
+ while (p);
+
+ /* Allocate a block list. */
+- blocks = grub_zalloc (sizeof (struct grub_fs_block) * (num + 1));
++ blocks = grub_calloc (num + 1, sizeof (struct grub_fs_block));
+ if (! blocks)
+ return 0;
+
+diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
+index 3b633d5..a7abd36 100644
+--- a/grub-core/kern/misc.c
++++ b/grub-core/kern/misc.c
+@@ -690,7 +690,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args,
+ args->ptr = args->prealloc;
+ else
+ {
+- args->ptr = grub_malloc (args->count * sizeof (args->ptr[0]));
++ args->ptr = grub_calloc (args->count, sizeof (args->ptr[0]));
+ if (!args->ptr)
+ {
+ grub_errno = GRUB_ERR_NONE;
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index 78175aa..619db31 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -213,7 +213,7 @@ grub_parser_split_cmdline (const char *cmdline,
+ return grub_errno;
+ grub_memcpy (args, buffer, bp - buffer);
+
+- *argv = grub_malloc (sizeof (char *) * (*argc + 1));
++ *argv = grub_calloc (*argc + 1, sizeof (char *));
+ if (!*argv)
+ {
+ grub_free (args);
+diff --git a/grub-core/kern/uboot/uboot.c b/grub-core/kern/uboot/uboot.c
+index be4816f..aac8f9a 100644
+--- a/grub-core/kern/uboot/uboot.c
++++ b/grub-core/kern/uboot/uboot.c
+@@ -133,7 +133,7 @@ grub_uboot_dev_enum (void)
+ return num_devices;
+
+ max_devices = 2;
+- enum_devices = grub_malloc (sizeof(struct device_info) * max_devices);
++ enum_devices = grub_calloc (max_devices, sizeof(struct device_info));
+ if (!enum_devices)
+ return 0;
+
+diff --git a/grub-core/lib/libgcrypt/cipher/ac.c b/grub-core/lib/libgcrypt/cipher/ac.c
+index f5e946a..63f6fcd 100644
+--- a/grub-core/lib/libgcrypt/cipher/ac.c
++++ b/grub-core/lib/libgcrypt/cipher/ac.c
+@@ -185,7 +185,7 @@ ac_data_mpi_copy (gcry_ac_mpi_t *data_mpis, unsigned int data_mpis_n,
+ gcry_mpi_t mpi;
+ char *label;
+
+- data_mpis_new = gcry_malloc (sizeof (*data_mpis_new) * data_mpis_n);
++ data_mpis_new = gcry_calloc (data_mpis_n, sizeof (*data_mpis_new));
+ if (! data_mpis_new)
+ {
+ err = gcry_error_from_errno (errno);
+@@ -572,7 +572,7 @@ _gcry_ac_data_to_sexp (gcry_ac_data_t data, gcry_sexp_t *sexp,
+ }
+
+ /* Add MPI list. */
+- arg_list = gcry_malloc (sizeof (*arg_list) * (data_n + 1));
++ arg_list = gcry_calloc (data_n + 1, sizeof (*arg_list));
+ if (! arg_list)
+ {
+ err = gcry_error_from_errno (errno);
+@@ -1283,7 +1283,7 @@ ac_data_construct (const char *identifier, int include_flags,
+ /* We build a list of arguments to pass to
+ gcry_sexp_build_array(). */
+ data_length = _gcry_ac_data_length (data);
+- arg_list = gcry_malloc (sizeof (*arg_list) * (data_length * 2));
++ arg_list = gcry_calloc (data_length, sizeof (*arg_list) * 2);
+ if (! arg_list)
+ {
+ err = gcry_error_from_errno (errno);
+@@ -1593,7 +1593,7 @@ _gcry_ac_key_pair_generate (gcry_ac_handle_t handle, unsigned int nbits,
+ arg_list_n += 2;
+
+ /* Allocate list. */
+- arg_list = gcry_malloc (sizeof (*arg_list) * arg_list_n);
++ arg_list = gcry_calloc (arg_list_n, sizeof (*arg_list));
+ if (! arg_list)
+ {
+ err = gcry_error_from_errno (errno);
+diff --git a/grub-core/lib/libgcrypt/cipher/primegen.c b/grub-core/lib/libgcrypt/cipher/primegen.c
+index 2788e34..b12e79b 100644
+--- a/grub-core/lib/libgcrypt/cipher/primegen.c
++++ b/grub-core/lib/libgcrypt/cipher/primegen.c
+@@ -383,7 +383,7 @@ prime_generate_internal (int need_q_factor,
+ }
+
+ /* Allocate an array to track pool usage. */
+- pool_in_use = gcry_malloc (n * sizeof *pool_in_use);
++ pool_in_use = gcry_calloc (n, sizeof *pool_in_use);
+ if (!pool_in_use)
+ {
+ err = gpg_err_code_from_errno (errno);
+@@ -765,7 +765,7 @@ gen_prime (unsigned int nbits, int secret, int randomlevel,
+ if (nbits < 16)
+ log_fatal ("can't generate a prime with less than %d bits\n", 16);
+
+- mods = gcry_xmalloc( no_of_small_prime_numbers * sizeof *mods );
++ mods = gcry_xcalloc( no_of_small_prime_numbers, sizeof *mods);
+ /* Make nbits fit into gcry_mpi_t implementation. */
+ val_2 = mpi_alloc_set_ui( 2 );
+ val_3 = mpi_alloc_set_ui( 3);
+diff --git a/grub-core/lib/libgcrypt/cipher/pubkey.c b/grub-core/lib/libgcrypt/cipher/pubkey.c
+index 9109821..ca087ad 100644
+--- a/grub-core/lib/libgcrypt/cipher/pubkey.c
++++ b/grub-core/lib/libgcrypt/cipher/pubkey.c
+@@ -2941,7 +2941,7 @@ gcry_pk_encrypt (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t s_pkey)
+ * array to a format string, so we have to do it this way :-(. */
+ /* FIXME: There is now such a format specifier, so we can
+ change the code to be more clear. */
+- arg_list = malloc (nelem * sizeof *arg_list);
++ arg_list = calloc (nelem, sizeof *arg_list);
+ if (!arg_list)
+ {
+ rc = gpg_err_code_from_syserror ();
+@@ -3233,7 +3233,7 @@ gcry_pk_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_hash, gcry_sexp_t s_skey)
+ }
+ strcpy (p, "))");
+
+- arg_list = malloc (nelem * sizeof *arg_list);
++ arg_list = calloc (nelem, sizeof *arg_list);
+ if (!arg_list)
+ {
+ rc = gpg_err_code_from_syserror ();
+diff --git a/grub-core/lib/priority_queue.c b/grub-core/lib/priority_queue.c
+index 659be0b..7d5e7c0 100644
+--- a/grub-core/lib/priority_queue.c
++++ b/grub-core/lib/priority_queue.c
+@@ -92,7 +92,7 @@ grub_priority_queue_new (grub_size_t elsize,
+ {
+ struct grub_priority_queue *ret;
+ void *els;
+- els = grub_malloc (elsize * 8);
++ els = grub_calloc (8, elsize);
+ if (!els)
+ return 0;
+ ret = (struct grub_priority_queue *) grub_malloc (sizeof (*ret));
+diff --git a/grub-core/lib/reed_solomon.c b/grub-core/lib/reed_solomon.c
+index ee9fa7b..467305b 100644
+--- a/grub-core/lib/reed_solomon.c
++++ b/grub-core/lib/reed_solomon.c
+@@ -20,6 +20,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#define xcalloc calloc
+ #define xmalloc malloc
+ #define grub_memset memset
+ #define grub_memcpy memcpy
+@@ -158,11 +159,9 @@ rs_encode (gf_single_t *data, grub_size_t s, grub_size_t rs)
+ gf_single_t *rs_polynomial;
+ int i, j;
+ gf_single_t *m;
+- m = xmalloc ((s + rs) * sizeof (gf_single_t));
++ m = xcalloc (s + rs, sizeof (gf_single_t));
+ grub_memcpy (m, data, s * sizeof (gf_single_t));
+- grub_memset (m + s, 0, rs * sizeof (gf_single_t));
+- rs_polynomial = xmalloc ((rs + 1) * sizeof (gf_single_t));
+- grub_memset (rs_polynomial, 0, (rs + 1) * sizeof (gf_single_t));
++ rs_polynomial = xcalloc (rs + 1, sizeof (gf_single_t));
+ rs_polynomial[rs] = 1;
+ /* Multiply with X - a^r */
+ for (j = 0; j < rs; j++)
+diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
+index ea3ebc7..5847aac 100644
+--- a/grub-core/lib/relocator.c
++++ b/grub-core/lib/relocator.c
+@@ -495,9 +495,9 @@ malloc_in_range (struct grub_relocator *rel,
+ }
+ #endif
+
+- eventt = grub_malloc (maxevents * sizeof (events[0]));
++ eventt = grub_calloc (maxevents, sizeof (events[0]));
+ counter = grub_malloc ((DIGITSORT_MASK + 2) * sizeof (counter[0]));
+- events = grub_malloc (maxevents * sizeof (events[0]));
++ events = grub_calloc (maxevents, sizeof (events[0]));
+ if (!events || !eventt || !counter)
+ {
+ grub_dprintf ("relocator", "events or counter allocation failed %d\n",
+@@ -963,7 +963,7 @@ malloc_in_range (struct grub_relocator *rel,
+ #endif
+ unsigned cural = 0;
+ int oom = 0;
+- res->subchunks = grub_malloc (sizeof (res->subchunks[0]) * nallocs);
++ res->subchunks = grub_calloc (nallocs, sizeof (res->subchunks[0]));
+ if (!res->subchunks)
+ oom = 1;
+ res->nsubchunks = nallocs;
+@@ -1562,8 +1562,8 @@ grub_relocator_prepare_relocs (struct grub_relocator *rel, grub_addr_t addr,
+ count[(chunk->src & 0xff) + 1]++;
+ }
+ }
+- from = grub_malloc (nchunks * sizeof (sorted[0]));
+- to = grub_malloc (nchunks * sizeof (sorted[0]));
++ from = grub_calloc (nchunks, sizeof (sorted[0]));
++ to = grub_calloc (nchunks, sizeof (sorted[0]));
+ if (!from || !to)
+ {
+ grub_free (from);
+diff --git a/grub-core/lib/zstd/fse_decompress.c b/grub-core/lib/zstd/fse_decompress.c
+index 72bbead..2227b84 100644
+--- a/grub-core/lib/zstd/fse_decompress.c
++++ b/grub-core/lib/zstd/fse_decompress.c
+@@ -82,7 +82,7 @@
+ FSE_DTable* FSE_createDTable (unsigned tableLog)
+ {
+ if (tableLog > FSE_TABLELOG_ABSOLUTE_MAX) tableLog = FSE_TABLELOG_ABSOLUTE_MAX;
+- return (FSE_DTable*)malloc( FSE_DTABLE_SIZE_U32(tableLog) * sizeof (U32) );
++ return (FSE_DTable*)calloc( FSE_DTABLE_SIZE_U32(tableLog), sizeof (U32) );
+ }
+
+ void FSE_freeDTable (FSE_DTable* dt)
+diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
+index 5168491..d70c174 100644
+--- a/grub-core/loader/arm/linux.c
++++ b/grub-core/loader/arm/linux.c
+@@ -78,7 +78,7 @@ linux_prepare_atag (void *target_atag)
+
+ /* some place for cmdline, initrd and terminator. */
+ tmp_size = get_atag_size (atag_orig) + 20 + (arg_size) / 4;
+- tmp_atag = grub_malloc (tmp_size * sizeof (grub_uint32_t));
++ tmp_atag = grub_calloc (tmp_size, sizeof (grub_uint32_t));
+ if (!tmp_atag)
+ return grub_errno;
+
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index cd92ea3..daf8c6b 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -116,7 +116,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
+ fp->header.type = GRUB_EFI_MEDIA_DEVICE_PATH_TYPE;
+ fp->header.subtype = GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE;
+
+- path_name = grub_malloc (len * GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
++ path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
+ if (!path_name)
+ return;
+
+diff --git a/grub-core/loader/i386/bsdXX.c b/grub-core/loader/i386/bsdXX.c
+index af6741d..a8d8bf7 100644
+--- a/grub-core/loader/i386/bsdXX.c
++++ b/grub-core/loader/i386/bsdXX.c
+@@ -48,7 +48,7 @@ read_headers (grub_file_t file, const char *filename, Elf_Ehdr *e, char **shdr)
+ if (e->e_ident[EI_CLASS] != SUFFIX (ELFCLASS))
+ return grub_error (GRUB_ERR_BAD_OS, N_("invalid arch-dependent ELF magic"));
+
+- *shdr = grub_malloc ((grub_uint32_t) e->e_shnum * e->e_shentsize);
++ *shdr = grub_calloc (e->e_shnum, e->e_shentsize);
+ if (! *shdr)
+ return grub_errno;
+
+diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
+index e64ed08..b7d176b 100644
+--- a/grub-core/loader/i386/xnu.c
++++ b/grub-core/loader/i386/xnu.c
+@@ -295,7 +295,7 @@ grub_xnu_devprop_add_property_utf8 (struct grub_xnu_devprop_device_descriptor *d
+ return grub_errno;
+
+ len = grub_strlen (name);
+- utf16 = grub_malloc (sizeof (grub_uint16_t) * len);
++ utf16 = grub_calloc (len, sizeof (grub_uint16_t));
+ if (!utf16)
+ {
+ grub_free (utf8);
+@@ -331,7 +331,7 @@ grub_xnu_devprop_add_property_utf16 (struct grub_xnu_devprop_device_descriptor *
+ grub_uint16_t *utf16;
+ grub_err_t err;
+
+- utf16 = grub_malloc (sizeof (grub_uint16_t) * namelen);
++ utf16 = grub_calloc (namelen, sizeof (grub_uint16_t));
+ if (!utf16)
+ return grub_errno;
+ grub_memcpy (utf16, name, sizeof (grub_uint16_t) * namelen);
+diff --git a/grub-core/loader/macho.c b/grub-core/loader/macho.c
+index 085f9c6..05710c4 100644
+--- a/grub-core/loader/macho.c
++++ b/grub-core/loader/macho.c
+@@ -97,7 +97,7 @@ grub_macho_file (grub_file_t file, const char *filename, int is_64bit)
+ if (grub_file_seek (macho->file, sizeof (struct grub_macho_fat_header))
+ == (grub_off_t) -1)
+ goto fail;
+- archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs);
++ archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch));
+ if (!archs)
+ goto fail;
+ if (grub_file_read (macho->file, archs,
+diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
+index 70cd1db..cc68536 100644
+--- a/grub-core/loader/multiboot_elfxx.c
++++ b/grub-core/loader/multiboot_elfxx.c
+@@ -217,7 +217,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
+ {
+ grub_uint8_t *shdr, *shdrptr;
+
+- shdr = grub_malloc ((grub_uint32_t) ehdr->e_shnum * ehdr->e_shentsize);
++ shdr = grub_calloc (ehdr->e_shnum, ehdr->e_shentsize);
+ if (!shdr)
+ return grub_errno;
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 7f74d1d..77d7060 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -800,7 +800,7 @@ grub_cmd_xnu_mkext (grub_command_t cmd __attribute__ ((unused)),
+ if (grub_be_to_cpu32 (head.magic) == GRUB_MACHO_FAT_MAGIC)
+ {
+ narchs = grub_be_to_cpu32 (head.nfat_arch);
+- archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs);
++ archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch));
+ if (! archs)
+ {
+ grub_file_close (file);
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 6a31cba..57b4e9a 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -143,9 +143,9 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
+
+ /* Initialize variables. */
+ ctx.scanline_events = (struct grub_mmap_scan *)
+- grub_malloc (sizeof (struct grub_mmap_scan) * 2 * mmap_num);
++ grub_calloc (mmap_num, sizeof (struct grub_mmap_scan) * 2);
+
+- present = grub_zalloc (sizeof (present[0]) * current_priority);
++ present = grub_calloc (current_priority, sizeof (present[0]));
+
+ if (! ctx.scanline_events || !present)
+ {
+diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
+index 04cfbb0..6539572 100644
+--- a/grub-core/net/bootp.c
++++ b/grub-core/net/bootp.c
+@@ -766,7 +766,7 @@ grub_cmd_bootp (struct grub_command *cmd __attribute__ ((unused)),
+ if (ncards == 0)
+ return grub_error (GRUB_ERR_NET_NO_CARD, N_("no network card found"));
+
+- ifaces = grub_zalloc (ncards * sizeof (ifaces[0]));
++ ifaces = grub_calloc (ncards, sizeof (ifaces[0]));
+ if (!ifaces)
+ return grub_errno;
+
+diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
+index 5d9afe0..e332d5e 100644
+--- a/grub-core/net/dns.c
++++ b/grub-core/net/dns.c
+@@ -285,8 +285,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
+ ptr++;
+ ptr += 4;
+ }
+- *data->addresses = grub_malloc (sizeof ((*data->addresses)[0])
+- * grub_be_to_cpu16 (head->ancount));
++ *data->addresses = grub_calloc (grub_be_to_cpu16 (head->ancount),
++ sizeof ((*data->addresses)[0]));
+ if (!*data->addresses)
+ {
+ grub_errno = GRUB_ERR_NONE;
+@@ -406,8 +406,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
+ dns_cache[h].addresses = 0;
+ dns_cache[h].name = grub_strdup (data->oname);
+ dns_cache[h].naddresses = *data->naddresses;
+- dns_cache[h].addresses = grub_malloc (*data->naddresses
+- * sizeof (dns_cache[h].addresses[0]));
++ dns_cache[h].addresses = grub_calloc (*data->naddresses,
++ sizeof (dns_cache[h].addresses[0]));
+ dns_cache[h].limit_time = grub_get_time_ms () + 1000 * ttl_all;
+ if (!dns_cache[h].addresses || !dns_cache[h].name)
+ {
+@@ -479,7 +479,7 @@ grub_net_dns_lookup (const char *name,
+ }
+ }
+
+- sockets = grub_malloc (sizeof (sockets[0]) * n_servers);
++ sockets = grub_calloc (n_servers, sizeof (sockets[0]));
+ if (!sockets)
+ return grub_errno;
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index d5d726a..38f19df 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -333,8 +333,8 @@ grub_cmd_ipv6_autoconf (struct grub_command *cmd __attribute__ ((unused)),
+ ncards++;
+ }
+
+- ifaces = grub_zalloc (ncards * sizeof (ifaces[0]));
+- slaacs = grub_zalloc (ncards * sizeof (slaacs[0]));
++ ifaces = grub_calloc (ncards, sizeof (ifaces[0]));
++ slaacs = grub_calloc (ncards, sizeof (slaacs[0]));
+ if (!ifaces || !slaacs)
+ {
+ grub_free (ifaces);
+diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
+index b0ab47d..d57fb72 100644
+--- a/grub-core/normal/charset.c
++++ b/grub-core/normal/charset.c
+@@ -203,7 +203,7 @@ grub_utf8_to_ucs4_alloc (const char *msg, grub_uint32_t **unicode_msg,
+ {
+ grub_size_t msg_len = grub_strlen (msg);
+
+- *unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
++ *unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
+
+ if (!*unicode_msg)
+ return -1;
+@@ -488,7 +488,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ }
+ else
+ {
+- n = grub_malloc (sizeof (n[0]) * (out->ncomb + 1));
++ n = grub_calloc (out->ncomb + 1, sizeof (n[0]));
+ if (!n)
+ {
+ grub_errno = GRUB_ERR_NONE;
+@@ -842,7 +842,7 @@ grub_bidi_line_logical_to_visual (const grub_uint32_t *logical,
+ } \
+ }
+
+- visual = grub_malloc (sizeof (visual[0]) * logical_len);
++ visual = grub_calloc (logical_len, sizeof (visual[0]));
+ if (!visual)
+ return -1;
+
+@@ -1165,8 +1165,8 @@ grub_bidi_logical_to_visual (const grub_uint32_t *logical,
+ {
+ const grub_uint32_t *line_start = logical, *ptr;
+ struct grub_unicode_glyph *visual_ptr;
+- *visual_out = visual_ptr = grub_malloc (3 * sizeof (visual_ptr[0])
+- * (logical_len + 2));
++ *visual_out = visual_ptr = grub_calloc (logical_len + 2,
++ 3 * sizeof (visual_ptr[0]));
+ if (!visual_ptr)
+ return -1;
+ for (ptr = logical; ptr <= logical + logical_len; ptr++)
+diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
+index c037d50..c57242e 100644
+--- a/grub-core/normal/cmdline.c
++++ b/grub-core/normal/cmdline.c
+@@ -41,7 +41,7 @@ grub_err_t
+ grub_set_history (int newsize)
+ {
+ grub_uint32_t **old_hist_lines = hist_lines;
+- hist_lines = grub_malloc (sizeof (grub_uint32_t *) * newsize);
++ hist_lines = grub_calloc (newsize, sizeof (grub_uint32_t *));
+
+ /* Copy the old lines into the new buffer. */
+ if (old_hist_lines)
+@@ -114,7 +114,7 @@ static void
+ grub_history_set (int pos, grub_uint32_t *s, grub_size_t len)
+ {
+ grub_free (hist_lines[pos]);
+- hist_lines[pos] = grub_malloc ((len + 1) * sizeof (grub_uint32_t));
++ hist_lines[pos] = grub_calloc (len + 1, sizeof (grub_uint32_t));
+ if (!hist_lines[pos])
+ {
+ grub_print_error ();
+@@ -349,7 +349,7 @@ grub_cmdline_get (const char *prompt_translated)
+ char *ret;
+ unsigned nterms;
+
+- buf = grub_malloc (max_len * sizeof (grub_uint32_t));
++ buf = grub_calloc (max_len, sizeof (grub_uint32_t));
+ if (!buf)
+ return 0;
+
+@@ -377,7 +377,7 @@ grub_cmdline_get (const char *prompt_translated)
+ FOR_ACTIVE_TERM_OUTPUTS(cur)
+ nterms++;
+
+- cl_terms = grub_malloc (sizeof (cl_terms[0]) * nterms);
++ cl_terms = grub_calloc (nterms, sizeof (cl_terms[0]));
+ if (!cl_terms)
+ {
+ grub_free (buf);
+@@ -385,7 +385,7 @@ grub_cmdline_get (const char *prompt_translated)
+ }
+ cl_term_cur = cl_terms;
+
+- unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
++ unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
+ if (!unicode_msg)
+ {
+ grub_free (buf);
+@@ -495,7 +495,7 @@ grub_cmdline_get (const char *prompt_translated)
+ grub_uint32_t *insert;
+
+ insertlen = grub_strlen (insertu8);
+- insert = grub_malloc ((insertlen + 1) * sizeof (grub_uint32_t));
++ insert = grub_calloc (insertlen + 1, sizeof (grub_uint32_t));
+ if (!insert)
+ {
+ grub_free (insertu8);
+@@ -602,7 +602,7 @@ grub_cmdline_get (const char *prompt_translated)
+
+ grub_free (kill_buf);
+
+- kill_buf = grub_malloc ((n + 1) * sizeof(grub_uint32_t));
++ kill_buf = grub_calloc (n + 1, sizeof (grub_uint32_t));
+ if (grub_errno)
+ {
+ grub_print_error ();
+diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
+index cdf3590..1993995 100644
+--- a/grub-core/normal/menu_entry.c
++++ b/grub-core/normal/menu_entry.c
+@@ -95,8 +95,8 @@ init_line (struct screen *screen, struct line *linep)
+ {
+ linep->len = 0;
+ linep->max_len = 80;
+- linep->buf = grub_malloc ((linep->max_len + 1) * sizeof (linep->buf[0]));
+- linep->pos = grub_zalloc (screen->nterms * sizeof (linep->pos[0]));
++ linep->buf = grub_calloc (linep->max_len + 1, sizeof (linep->buf[0]));
++ linep->pos = grub_calloc (screen->nterms, sizeof (linep->pos[0]));
+ if (! linep->buf || !linep->pos)
+ {
+ grub_free (linep->buf);
+@@ -287,7 +287,7 @@ update_screen (struct screen *screen, struct per_term_screen *term_screen,
+ pos = linep->pos + (term_screen - screen->terms);
+
+ if (!*pos)
+- *pos = grub_zalloc ((linep->len + 1) * sizeof (**pos));
++ *pos = grub_calloc (linep->len + 1, sizeof (**pos));
+
+ if (i == region_start || linep == screen->lines + screen->line
+ || (i > region_start && mode == ALL_LINES))
+@@ -471,7 +471,7 @@ insert_string (struct screen *screen, const char *s, int update)
+
+ /* Insert the string. */
+ current_linep = screen->lines + screen->line;
+- unicode_msg = grub_malloc ((p - s) * sizeof (grub_uint32_t));
++ unicode_msg = grub_calloc (p - s, sizeof (grub_uint32_t));
+
+ if (!unicode_msg)
+ return 0;
+@@ -1023,7 +1023,7 @@ complete (struct screen *screen, int continuous, int update)
+ if (completion_buffer.buf)
+ {
+ buflen = grub_strlen (completion_buffer.buf);
+- ucs4 = grub_malloc (sizeof (grub_uint32_t) * (buflen + 1));
++ ucs4 = grub_calloc (buflen + 1, sizeof (grub_uint32_t));
+
+ if (!ucs4)
+ {
+@@ -1268,7 +1268,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
+ for (i = 0; i < (unsigned) screen->num_lines; i++)
+ {
+ grub_free (screen->lines[i].pos);
+- screen->lines[i].pos = grub_zalloc (screen->nterms * sizeof (screen->lines[i].pos[0]));
++ screen->lines[i].pos = grub_calloc (screen->nterms, sizeof (screen->lines[i].pos[0]));
+ if (! screen->lines[i].pos)
+ {
+ grub_print_error ();
+@@ -1278,7 +1278,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
+ }
+ }
+
+- screen->terms = grub_zalloc (screen->nterms * sizeof (screen->terms[0]));
++ screen->terms = grub_calloc (screen->nterms, sizeof (screen->terms[0]));
+ if (!screen->terms)
+ {
+ grub_print_error ();
+diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
+index e22bb91..18240e7 100644
+--- a/grub-core/normal/menu_text.c
++++ b/grub-core/normal/menu_text.c
+@@ -78,7 +78,7 @@ grub_print_message_indented_real (const char *msg, int margin_left,
+ grub_size_t msg_len = grub_strlen (msg) + 2;
+ int ret = 0;
+
+- unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
++ unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
+
+ if (!unicode_msg)
+ return 0;
+@@ -211,7 +211,7 @@ print_entry (int y, int highlight, grub_menu_entry_t entry,
+
+ title = entry ? entry->title : "";
+ title_len = grub_strlen (title);
+- unicode_title = grub_malloc (title_len * sizeof (*unicode_title));
++ unicode_title = grub_calloc (title_len, sizeof (*unicode_title));
+ if (! unicode_title)
+ /* XXX How to show this error? */
+ return;
+diff --git a/grub-core/normal/term.c b/grub-core/normal/term.c
+index a1e5c5a..cc8c173 100644
+--- a/grub-core/normal/term.c
++++ b/grub-core/normal/term.c
+@@ -264,7 +264,7 @@ grub_term_save_pos (void)
+ FOR_ACTIVE_TERM_OUTPUTS(cur)
+ cnt++;
+
+- ret = grub_malloc (cnt * sizeof (ret[0]));
++ ret = grub_calloc (cnt, sizeof (ret[0]));
+ if (!ret)
+ return NULL;
+
+@@ -1013,7 +1013,7 @@ grub_xnputs (const char *str, grub_size_t msg_len)
+
+ grub_error_push ();
+
+- unicode_str = grub_malloc (msg_len * sizeof (grub_uint32_t));
++ unicode_str = grub_calloc (msg_len, sizeof (grub_uint32_t));
+
+ grub_error_pop ();
+
+diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c
+index 90d92d3..5b41ad0 100644
+--- a/grub-core/osdep/linux/getroot.c
++++ b/grub-core/osdep/linux/getroot.c
+@@ -168,7 +168,7 @@ grub_util_raid_getmembers (const char *name, int bootable)
+ if (ret != 0)
+ grub_util_error (_("ioctl GET_ARRAY_INFO error: %s"), strerror (errno));
+
+- devicelist = xmalloc ((info.nr_disks + 1) * sizeof (char *));
++ devicelist = xcalloc (info.nr_disks + 1, sizeof (char *));
+
+ for (i = 0, j = 0; j < info.nr_disks; i++)
+ {
+@@ -241,7 +241,7 @@ grub_find_root_devices_from_btrfs (const char *dir)
+ return NULL;
+ }
+
+- ret = xmalloc ((fsi.num_devices + 1) * sizeof (ret[0]));
++ ret = xcalloc (fsi.num_devices + 1, sizeof (ret[0]));
+
+ for (i = 1; i <= fsi.max_id && j < fsi.num_devices; i++)
+ {
+@@ -396,7 +396,7 @@ grub_find_root_devices_from_mountinfo (const char *dir, char **relroot)
+ if (relroot)
+ *relroot = NULL;
+
+- entries = xmalloc (entry_max * sizeof (*entries));
++ entries = xcalloc (entry_max, sizeof (*entries));
+
+ again:
+ fp = grub_util_fopen ("/proc/self/mountinfo", "r");
+diff --git a/grub-core/osdep/unix/config.c b/grub-core/osdep/unix/config.c
+index 65effa9..7d63251 100644
+--- a/grub-core/osdep/unix/config.c
++++ b/grub-core/osdep/unix/config.c
+@@ -89,7 +89,7 @@ grub_util_load_config (struct grub_util_config *cfg)
+ argv[0] = "sh";
+ argv[1] = "-c";
+
+- script = xmalloc (4 * strlen (cfgfile) + 300);
++ script = xcalloc (4, strlen (cfgfile) + 300);
+
+ ptr = script;
+ memcpy (ptr, ". '", 3);
+diff --git a/grub-core/osdep/windows/getroot.c b/grub-core/osdep/windows/getroot.c
+index 661d954..eada663 100644
+--- a/grub-core/osdep/windows/getroot.c
++++ b/grub-core/osdep/windows/getroot.c
+@@ -59,7 +59,7 @@ grub_get_mount_point (const TCHAR *path)
+
+ for (ptr = path; *ptr; ptr++);
+ allocsize = (ptr - path + 10) * 2;
+- out = xmalloc (allocsize * sizeof (out[0]));
++ out = xcalloc (allocsize, sizeof (out[0]));
+
+ /* When pointing to EFI system partition GetVolumePathName fails
+ for ESP root and returns abberant information for everything
+diff --git a/grub-core/osdep/windows/hostdisk.c b/grub-core/osdep/windows/hostdisk.c
+index 3551007..0be3273 100644
+--- a/grub-core/osdep/windows/hostdisk.c
++++ b/grub-core/osdep/windows/hostdisk.c
+@@ -111,7 +111,7 @@ grub_util_get_windows_path_real (const char *path)
+
+ while (1)
+ {
+- fpa = xmalloc (alloc * sizeof (fpa[0]));
++ fpa = xcalloc (alloc, sizeof (fpa[0]));
+
+ len = GetFullPathName (tpath, alloc, fpa, NULL);
+ if (len >= alloc)
+@@ -399,7 +399,7 @@ grub_util_fd_opendir (const char *name)
+ for (l = 0; name_windows[l]; l++);
+ for (l--; l >= 0 && (name_windows[l] == '\\' || name_windows[l] == '/'); l--);
+ l++;
+- pattern = xmalloc ((l + 3) * sizeof (pattern[0]));
++ pattern = xcalloc (l + 3, sizeof (pattern[0]));
+ memcpy (pattern, name_windows, l * sizeof (pattern[0]));
+ pattern[l] = '\\';
+ pattern[l + 1] = '*';
+diff --git a/grub-core/osdep/windows/init.c b/grub-core/osdep/windows/init.c
+index e8ffd62..6297de6 100644
+--- a/grub-core/osdep/windows/init.c
++++ b/grub-core/osdep/windows/init.c
+@@ -161,7 +161,7 @@ grub_util_host_init (int *argc __attribute__ ((unused)),
+ LPWSTR *targv;
+
+ targv = CommandLineToArgvW (tcmdline, argc);
+- *argv = xmalloc ((*argc + 1) * sizeof (argv[0]));
++ *argv = xcalloc (*argc + 1, sizeof (argv[0]));
+
+ for (i = 0; i < *argc; i++)
+ (*argv)[i] = grub_util_tchar_to_utf8 (targv[i]);
+diff --git a/grub-core/osdep/windows/platform.c b/grub-core/osdep/windows/platform.c
+index 7eb53fe..1ef86bf 100644
+--- a/grub-core/osdep/windows/platform.c
++++ b/grub-core/osdep/windows/platform.c
+@@ -225,8 +225,8 @@ grub_install_register_efi (grub_device_t efidir_grub_dev,
+ grub_util_error ("%s", _("no EFI routines are available when running in BIOS mode"));
+
+ distrib8_len = grub_strlen (efi_distributor);
+- distributor16 = xmalloc ((distrib8_len + 1) * GRUB_MAX_UTF16_PER_UTF8
+- * sizeof (grub_uint16_t));
++ distributor16 = xcalloc (distrib8_len + 1,
++ GRUB_MAX_UTF16_PER_UTF8 * sizeof (grub_uint16_t));
+ distrib16_len = grub_utf8_to_utf16 (distributor16, distrib8_len * GRUB_MAX_UTF16_PER_UTF8,
+ (const grub_uint8_t *) efi_distributor,
+ distrib8_len, 0);
+diff --git a/grub-core/osdep/windows/relpath.c b/grub-core/osdep/windows/relpath.c
+index cb08617..478e8ef 100644
+--- a/grub-core/osdep/windows/relpath.c
++++ b/grub-core/osdep/windows/relpath.c
+@@ -72,7 +72,7 @@ grub_make_system_path_relative_to_its_root (const char *path)
+ if (dirwindows[0] && dirwindows[1] == ':')
+ offset = 2;
+ }
+- ret = xmalloc (sizeof (ret[0]) * (flen - offset + 2));
++ ret = xcalloc (flen - offset + 2, sizeof (ret[0]));
+ if (dirwindows[offset] != '\\'
+ && dirwindows[offset] != '/'
+ && dirwindows[offset])
+diff --git a/grub-core/partmap/gpt.c b/grub-core/partmap/gpt.c
+index 103f679..72a2e37 100644
+--- a/grub-core/partmap/gpt.c
++++ b/grub-core/partmap/gpt.c
+@@ -199,7 +199,7 @@ gpt_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
+ *nsectors = ctx.len;
+ if (*nsectors > max_nsectors)
+ *nsectors = max_nsectors;
+- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
++ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
+ if (!*sectors)
+ return grub_errno;
+ for (i = 0; i < *nsectors; i++)
+diff --git a/grub-core/partmap/msdos.c b/grub-core/partmap/msdos.c
+index 7b8e450..ee3f249 100644
+--- a/grub-core/partmap/msdos.c
++++ b/grub-core/partmap/msdos.c
+@@ -337,7 +337,7 @@ pc_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
+ avail_nsectors = *nsectors;
+ if (*nsectors > max_nsectors)
+ *nsectors = max_nsectors;
+- *sectors = grub_malloc (*nsectors * sizeof (**sectors));
++ *sectors = grub_calloc (*nsectors, sizeof (**sectors));
+ if (!*sectors)
+ return grub_errno;
+ for (i = 0; i < *nsectors; i++)
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index ee299fd..c8d6806 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -553,7 +553,7 @@ gettext_append (struct grub_script_argv *result, const char *orig_str)
+ for (iptr = orig_str; *iptr; iptr++)
+ if (*iptr == '$')
+ dollar_cnt++;
+- ctx.allowed_strings = grub_malloc (sizeof (ctx.allowed_strings[0]) * dollar_cnt);
++ ctx.allowed_strings = grub_calloc (dollar_cnt, sizeof (ctx.allowed_strings[0]));
+
+ if (parse_string (orig_str, gettext_save_allow, &ctx, 0))
+ goto fail;
+diff --git a/grub-core/tests/fake_input.c b/grub-core/tests/fake_input.c
+index 2d60852..b5eb516 100644
+--- a/grub-core/tests/fake_input.c
++++ b/grub-core/tests/fake_input.c
+@@ -49,7 +49,7 @@ grub_terminal_input_fake_sequence (int *seq_in, int nseq_in)
+ saved = grub_term_inputs;
+ if (seq)
+ grub_free (seq);
+- seq = grub_malloc (nseq_in * sizeof (seq[0]));
++ seq = grub_calloc (nseq_in, sizeof (seq[0]));
+ if (!seq)
+ return;
+
+diff --git a/grub-core/tests/video_checksum.c b/grub-core/tests/video_checksum.c
+index 74d5b65..44d0810 100644
+--- a/grub-core/tests/video_checksum.c
++++ b/grub-core/tests/video_checksum.c
+@@ -336,7 +336,7 @@ grub_video_capture_write_bmp (const char *fname,
+ {
+ case 4:
+ {
+- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
++ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
+ grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1);
+ grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1);
+ grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1);
+@@ -367,7 +367,7 @@ grub_video_capture_write_bmp (const char *fname,
+ }
+ case 3:
+ {
+- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
++ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
+ grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1);
+ grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1);
+ grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1);
+@@ -407,7 +407,7 @@ grub_video_capture_write_bmp (const char *fname,
+ }
+ case 2:
+ {
+- grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
++ grub_uint8_t *buffer = xcalloc (3, mode_info->width);
+ grub_uint16_t rmask = ((1 << mode_info->red_mask_size) - 1);
+ grub_uint16_t gmask = ((1 << mode_info->green_mask_size) - 1);
+ grub_uint16_t bmask = ((1 << mode_info->blue_mask_size) - 1);
+diff --git a/grub-core/video/capture.c b/grub-core/video/capture.c
+index 4f83c74..4d3195e 100644
+--- a/grub-core/video/capture.c
++++ b/grub-core/video/capture.c
+@@ -89,7 +89,7 @@ grub_video_capture_start (const struct grub_video_mode_info *mode_info,
+ framebuffer.mode_info = *mode_info;
+ framebuffer.mode_info.blit_format = grub_video_get_blit_format (&framebuffer.mode_info);
+
+- framebuffer.ptr = grub_malloc (framebuffer.mode_info.height * framebuffer.mode_info.pitch);
++ framebuffer.ptr = grub_calloc (framebuffer.mode_info.height, framebuffer.mode_info.pitch);
+ if (!framebuffer.ptr)
+ return grub_errno;
+
+diff --git a/grub-core/video/emu/sdl.c b/grub-core/video/emu/sdl.c
+index a2f639f..0ebab6f 100644
+--- a/grub-core/video/emu/sdl.c
++++ b/grub-core/video/emu/sdl.c
+@@ -172,7 +172,7 @@ grub_video_sdl_set_palette (unsigned int start, unsigned int count,
+ if (start + count > mode_info.number_of_colors)
+ count = mode_info.number_of_colors - start;
+
+- tmp = grub_malloc (count * sizeof (tmp[0]));
++ tmp = grub_calloc (count, sizeof (tmp[0]));
+ for (i = 0; i < count; i++)
+ {
+ tmp[i].r = palette_data[i].r;
+diff --git a/grub-core/video/i386/pc/vga.c b/grub-core/video/i386/pc/vga.c
+index 01f4711..b2f776c 100644
+--- a/grub-core/video/i386/pc/vga.c
++++ b/grub-core/video/i386/pc/vga.c
+@@ -127,7 +127,7 @@ grub_video_vga_setup (unsigned int width, unsigned int height,
+
+ vga_height = height ? : 480;
+
+- framebuffer.temporary_buffer = grub_malloc (vga_height * VGA_WIDTH);
++ framebuffer.temporary_buffer = grub_calloc (vga_height, VGA_WIDTH);
+ framebuffer.front_page = 0;
+ framebuffer.back_page = 0;
+ if (!framebuffer.temporary_buffer)
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 777e713..61bd645 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -309,7 +309,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ if (data->is_16bit || data->is_gray || data->is_palette)
+ #endif
+ {
+- data->image_data = grub_malloc (data->image_height * data->row_bytes);
++ data->image_data = grub_calloc (data->image_height, data->row_bytes);
+ if (grub_errno)
+ return grub_errno;
+
+diff --git a/include/grub/unicode.h b/include/grub/unicode.h
+index a0403e9..4de986a 100644
+--- a/include/grub/unicode.h
++++ b/include/grub/unicode.h
+@@ -293,7 +293,7 @@ grub_unicode_glyph_dup (const struct grub_unicode_glyph *in)
+ grub_memcpy (out, in, sizeof (*in));
+ if (in->ncomb > ARRAY_SIZE (out->combining_inline))
+ {
+- out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0]));
++ out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0]));
+ if (!out->combining_ptr)
+ {
+ grub_free (out);
+@@ -315,7 +315,7 @@ grub_unicode_set_glyph (struct grub_unicode_glyph *out,
+ grub_memcpy (out, in, sizeof (*in));
+ if (in->ncomb > ARRAY_SIZE (out->combining_inline))
+ {
+- out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0]));
++ out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0]));
+ if (!out->combining_ptr)
+ return;
+ grub_memcpy (out->combining_ptr, in->combining_ptr,
+diff --git a/util/getroot.c b/util/getroot.c
+index 847406f..a5eaa64 100644
+--- a/util/getroot.c
++++ b/util/getroot.c
+@@ -200,7 +200,7 @@ make_device_name (const char *drive)
+ char *ret, *ptr;
+ const char *iptr;
+
+- ret = xmalloc (strlen (drive) * 2);
++ ret = xcalloc (2, strlen (drive));
+ ptr = ret;
+ for (iptr = drive; *iptr; iptr++)
+ {
+diff --git a/util/grub-file.c b/util/grub-file.c
+index 50c18b6..b2e7dd6 100644
+--- a/util/grub-file.c
++++ b/util/grub-file.c
+@@ -54,7 +54,7 @@ main (int argc, char *argv[])
+
+ grub_util_host_init (&argc, &argv);
+
+- argv2 = xmalloc (argc * sizeof (argv2[0]));
++ argv2 = xcalloc (argc, sizeof (argv2[0]));
+
+ if (argc == 2 && strcmp (argv[1], "--version") == 0)
+ {
+diff --git a/util/grub-fstest.c b/util/grub-fstest.c
+index f14e02d..57246af 100644
+--- a/util/grub-fstest.c
++++ b/util/grub-fstest.c
+@@ -650,7 +650,7 @@ argp_parser (int key, char *arg, struct argp_state *state)
+ if (args_count < num_disks)
+ {
+ if (args_count == 0)
+- images = xmalloc (num_disks * sizeof (images[0]));
++ images = xcalloc (num_disks, sizeof (images[0]));
+ images[args_count] = grub_canonicalize_file_name (arg);
+ args_count++;
+ return 0;
+@@ -734,7 +734,7 @@ main (int argc, char *argv[])
+
+ grub_util_host_init (&argc, &argv);
+
+- args = xmalloc (argc * sizeof (args[0]));
++ args = xcalloc (argc, sizeof (args[0]));
+
+ argp_parse (&argp, argc, argv, 0, 0, 0);
+
+diff --git a/util/grub-install-common.c b/util/grub-install-common.c
+index ca0ac61..0295d40 100644
+--- a/util/grub-install-common.c
++++ b/util/grub-install-common.c
+@@ -286,7 +286,7 @@ handle_install_list (struct install_list *il, const char *val,
+ il->n_entries++;
+ }
+ il->n_alloc = il->n_entries + 1;
+- il->entries = xmalloc (il->n_alloc * sizeof (il->entries[0]));
++ il->entries = xcalloc (il->n_alloc, sizeof (il->entries[0]));
+ ptr = val;
+ for (ce = il->entries; ; ce++)
+ {
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 8a55ad4..a82725f 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -626,7 +626,7 @@ device_map_check_duplicates (const char *dev_map)
+ if (! fp)
+ return;
+
+- d = xmalloc (alloced * sizeof (d[0]));
++ d = xcalloc (alloced, sizeof (d[0]));
+
+ while (fgets (buf, sizeof (buf), fp))
+ {
+@@ -1260,7 +1260,7 @@ main (int argc, char *argv[])
+ ndev++;
+ }
+
+- grub_drives = xmalloc (sizeof (grub_drives[0]) * (ndev + 1));
++ grub_drives = xcalloc (ndev + 1, sizeof (grub_drives[0]));
+
+ for (curdev = grub_devices, curdrive = grub_drives; *curdev; curdev++,
+ curdrive++)
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index bc087c2..d97d0e7 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -2294,10 +2294,8 @@ SUFFIX (grub_mkimage_load_image) (const char *kernel_path,
+ + grub_host_to_target16 (e->e_shstrndx) * smd.section_entsize);
+ smd.strtab = (char *) e + grub_host_to_target_addr (s->sh_offset);
+
+- smd.addrs = xmalloc (sizeof (*smd.addrs) * smd.num_sections);
+- memset (smd.addrs, 0, sizeof (*smd.addrs) * smd.num_sections);
+- smd.vaddrs = xmalloc (sizeof (*smd.vaddrs) * smd.num_sections);
+- memset (smd.vaddrs, 0, sizeof (*smd.vaddrs) * smd.num_sections);
++ smd.addrs = xcalloc (smd.num_sections, sizeof (*smd.addrs));
++ smd.vaddrs = xcalloc (smd.num_sections, sizeof (*smd.vaddrs));
+
+ SUFFIX (locate_sections) (e, kernel_path, &smd, layout, image_target);
+
+diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c
+index ce2cbc4..5183102 100644
+--- a/util/grub-mkrescue.c
++++ b/util/grub-mkrescue.c
+@@ -441,8 +441,8 @@ main (int argc, char *argv[])
+ xorriso = xstrdup ("xorriso");
+ label_font = grub_util_path_concat (2, pkgdatadir, "unicode.pf2");
+
+- argp_argv = xmalloc (sizeof (argp_argv[0]) * argc);
+- xorriso_tail_argv = xmalloc (sizeof (argp_argv[0]) * argc);
++ argp_argv = xcalloc (argc, sizeof (argp_argv[0]));
++ xorriso_tail_argv = xcalloc (argc, sizeof (argp_argv[0]));
+
+ xorriso_tail_argc = 0;
+ /* Program name */
+diff --git a/util/grub-mkstandalone.c b/util/grub-mkstandalone.c
+index 4907d44..edf3097 100644
+--- a/util/grub-mkstandalone.c
++++ b/util/grub-mkstandalone.c
+@@ -296,7 +296,7 @@ main (int argc, char *argv[])
+ grub_util_host_init (&argc, &argv);
+ grub_util_disable_fd_syncs ();
+
+- files = xmalloc ((argc + 1) * sizeof (files[0]));
++ files = xcalloc (argc + 1, sizeof (files[0]));
+
+ argp_parse (&argp, argc, argv, 0, 0, 0);
+
+diff --git a/util/grub-pe2elf.c b/util/grub-pe2elf.c
+index 0d4084a..1133129 100644
+--- a/util/grub-pe2elf.c
++++ b/util/grub-pe2elf.c
+@@ -100,9 +100,9 @@ write_section_data (FILE* fp, const char *name, char *image,
+ char *pe_strtab = (image + pe_chdr->symtab_offset
+ + pe_chdr->num_symbols * sizeof (struct grub_pe32_symbol));
+
+- section_map = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (int));
++ section_map = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (int));
+ section_map[0] = 0;
+- shdr = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (shdr[0]));
++ shdr = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (shdr[0]));
+ idx = 1;
+ idx_reloc = pe_chdr->num_sections + 1;
+
+@@ -233,7 +233,7 @@ write_reloc_section (FILE* fp, const char *name, char *image,
+
+ pe_sec = pe_shdr + shdr[i].sh_link;
+ pe_rel = (struct grub_pe32_reloc *) (image + pe_sec->relocations_offset);
+- rel = (elf_reloc_t *) xmalloc (pe_sec->num_relocations * sizeof (elf_reloc_t));
++ rel = (elf_reloc_t *) xcalloc (pe_sec->num_relocations, sizeof (elf_reloc_t));
+ num_rels = 0;
+ modified = 0;
+
+@@ -365,12 +365,10 @@ write_symbol_table (FILE* fp, const char *name, char *image,
+ pe_symtab = (struct grub_pe32_symbol *) (image + pe_chdr->symtab_offset);
+ pe_strtab = (char *) (pe_symtab + pe_chdr->num_symbols);
+
+- symtab = (Elf_Sym *) xmalloc ((pe_chdr->num_symbols + 1) *
+- sizeof (Elf_Sym));
+- memset (symtab, 0, (pe_chdr->num_symbols + 1) * sizeof (Elf_Sym));
++ symtab = (Elf_Sym *) xcalloc (pe_chdr->num_symbols + 1, sizeof (Elf_Sym));
+ num_syms = 1;
+
+- symtab_map = (int *) xmalloc (pe_chdr->num_symbols * sizeof (int));
++ symtab_map = (int *) xcalloc (pe_chdr->num_symbols, sizeof (int));
+
+ for (i = 0; i < (int) pe_chdr->num_symbols;
+ i += pe_symtab->num_aux + 1, pe_symtab += pe_symtab->num_aux + 1)
+diff --git a/util/grub-probe.c b/util/grub-probe.c
+index 81d27ee..cbe6ed9 100644
+--- a/util/grub-probe.c
++++ b/util/grub-probe.c
+@@ -361,8 +361,8 @@ probe (const char *path, char **device_names, char delim)
+ grub_util_pull_device (*curdev);
+ ndev++;
+ }
+-
+- drives_names = xmalloc (sizeof (drives_names[0]) * (ndev + 1));
++
++ drives_names = xcalloc (ndev + 1, sizeof (drives_names[0]));
+
+ for (curdev = device_names, curdrive = drives_names; *curdev; curdev++,
+ curdrive++)
+--
+2.14.4
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
new file mode 100644
index 0000000000..7214ead9a7
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14309-CVE-2020-14310-CVE-2020-14311-malloc-Use-overflow-checking-primitives-where-we-do-.patch
@@ -0,0 +1,1330 @@
+From eb77d1ef65e25746acff43545f62a71360b15eec Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 12:28:27 -0400
+Subject: [PATCH 6/9] malloc: Use overflow checking primitives where we do
+ complex allocations
+
+This attempts to fix the places where we do the following where
+arithmetic_expr may include unvalidated data:
+
+ X = grub_malloc(arithmetic_expr);
+
+It accomplishes this by doing the arithmetic ahead of time using grub_add(),
+grub_sub(), grub_mul() and testing for overflow before proceeding.
+
+Among other issues, this fixes:
+ - allocation of integer overflow in grub_video_bitmap_create()
+ reported by Chris Coulson,
+ - allocation of integer overflow in grub_png_decode_image_header()
+ reported by Chris Coulson,
+ - allocation of integer overflow in grub_squash_read_symlink()
+ reported by Chris Coulson,
+ - allocation of integer overflow in grub_ext2_read_symlink()
+ reported by Chris Coulson,
+ - allocation of integer overflow in read_section_as_string()
+ reported by Chris Coulson.
+
+Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-14309 CVE-2020-14310 CVE-2020-14311
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3f05d693d1274965ffbe4ba99080dc2c570944c6
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/commands/legacycfg.c | 29 +++++++++++++++++++-----
+ grub-core/commands/wildcard.c | 36 ++++++++++++++++++++++++-----
+ grub-core/disk/ldm.c | 32 ++++++++++++++++++--------
+ grub-core/font/font.c | 7 +++++-
+ grub-core/fs/btrfs.c | 28 +++++++++++++++--------
+ grub-core/fs/ext2.c | 10 ++++++++-
+ grub-core/fs/iso9660.c | 51 +++++++++++++++++++++++++++++-------------
+ grub-core/fs/sfs.c | 27 +++++++++++++++++-----
+ grub-core/fs/squash4.c | 45 ++++++++++++++++++++++++++++---------
+ grub-core/fs/udf.c | 41 +++++++++++++++++++++------------
+ grub-core/fs/xfs.c | 11 +++++----
+ grub-core/fs/zfs/zfs.c | 22 ++++++++++++------
+ grub-core/fs/zfs/zfscrypt.c | 7 +++++-
+ grub-core/lib/arg.c | 20 +++++++++++++++--
+ grub-core/loader/i386/bsd.c | 8 ++++++-
+ grub-core/net/dns.c | 9 +++++++-
+ grub-core/normal/charset.c | 10 +++++++--
+ grub-core/normal/cmdline.c | 14 ++++++++++--
+ grub-core/normal/menu_entry.c | 13 +++++++++--
+ grub-core/script/argv.c | 16 +++++++++++--
+ grub-core/script/lexer.c | 21 ++++++++++++++---
+ grub-core/video/bitmap.c | 25 +++++++++++++--------
+ grub-core/video/readers/png.c | 13 +++++++++--
+ 23 files changed, 382 insertions(+), 113 deletions(-)
+
+diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
+index 5e3ec0d..cc5971f 100644
+--- a/grub-core/commands/legacycfg.c
++++ b/grub-core/commands/legacycfg.c
+@@ -32,6 +32,7 @@
+ #include <grub/auth.h>
+ #include <grub/disk.h>
+ #include <grub/partition.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -104,13 +105,22 @@ legacy_file (const char *filename)
+ if (newsuffix)
+ {
+ char *t;
+-
++ grub_size_t sz;
++
++ if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) ||
++ grub_add (sz, 1, &sz))
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ goto fail_0;
++ }
++
+ t = suffix;
+- suffix = grub_realloc (suffix, grub_strlen (suffix)
+- + grub_strlen (newsuffix) + 1);
++ suffix = grub_realloc (suffix, sz);
+ if (!suffix)
+ {
+ grub_free (t);
++
++ fail_0:
+ grub_free (entrysrc);
+ grub_free (parsed);
+ grub_free (newsuffix);
+@@ -154,13 +164,22 @@ legacy_file (const char *filename)
+ else
+ {
+ char *t;
++ grub_size_t sz;
++
++ if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) ||
++ grub_add (sz, 1, &sz))
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ goto fail_1;
++ }
+
+ t = entrysrc;
+- entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc)
+- + grub_strlen (parsed) + 1);
++ entrysrc = grub_realloc (entrysrc, sz);
+ if (!entrysrc)
+ {
+ grub_free (t);
++
++ fail_1:
+ grub_free (parsed);
+ grub_free (suffix);
+ return grub_errno;
+diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c
+index 4a106ca..cc32903 100644
+--- a/grub-core/commands/wildcard.c
++++ b/grub-core/commands/wildcard.c
+@@ -23,6 +23,7 @@
+ #include <grub/file.h>
+ #include <grub/device.h>
+ #include <grub/script_sh.h>
++#include <grub/safemath.h>
+
+ #include <regex.h>
+
+@@ -48,6 +49,7 @@ merge (char **dest, char **ps)
+ int i;
+ int j;
+ char **p;
++ grub_size_t sz;
+
+ if (! dest)
+ return ps;
+@@ -60,7 +62,12 @@ merge (char **dest, char **ps)
+ for (j = 0; ps[j]; j++)
+ ;
+
+- p = grub_realloc (dest, sizeof (char*) * (i + j + 1));
++ if (grub_add (i, j, &sz) ||
++ grub_add (sz, 1, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ return dest;
++
++ p = grub_realloc (dest, sz);
+ if (! p)
+ {
+ grub_free (dest);
+@@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp)
+ char ch;
+ int i = 0;
+ unsigned len = end - start;
+- char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */
++ char *buffer;
++ grub_size_t sz;
+
++ /* Worst case size is (len * 2 + 2 + 1). */
++ if (grub_mul (len, 2, &sz) ||
++ grub_add (sz, 3, &sz))
++ return 1;
++
++ buffer = grub_malloc (sz);
+ if (! buffer)
+ return 1;
+
+@@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data)
+ struct match_devices_ctx *ctx = data;
+ char **t;
+ char *buffer;
++ grub_size_t sz;
+
+ /* skip partitions if asked to. */
+ if (ctx->noparts && grub_strchr (name, ','))
+@@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data)
+ if (regexec (ctx->regexp, buffer, 0, 0, 0))
+ {
+ grub_dprintf ("expand", "not matched\n");
++ fail:
+ grub_free (buffer);
+ return 0;
+ }
+
+- t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2));
++ if (grub_add (ctx->ndev, 2, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ goto fail;
++
++ t = grub_realloc (ctx->devs, sz);
+ if (! t)
+ {
+ grub_free (buffer);
+@@ -300,6 +320,7 @@ match_files_iter (const char *name,
+ struct match_files_ctx *ctx = data;
+ char **t;
+ char *buffer;
++ grub_size_t sz;
+
+ /* skip . and .. names */
+ if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0)
+@@ -315,9 +336,14 @@ match_files_iter (const char *name,
+ if (! buffer)
+ return 1;
+
+- t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2));
+- if (! t)
++ if (grub_add (ctx->nfile, 2, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ goto fail;
++
++ t = grub_realloc (ctx->files, sz);
++ if (!t)
+ {
++ fail:
+ grub_free (buffer);
+ return 1;
+ }
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index e632370..58f8a53 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -25,6 +25,7 @@
+ #include <grub/msdos_partition.h>
+ #include <grub/gpt_partition.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ #ifdef GRUB_UTIL
+ #include <grub/emu/misc.h>
+@@ -289,6 +290,7 @@ make_vg (grub_disk_t disk,
+ struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE
+ / sizeof (struct grub_ldm_vblk)];
+ unsigned i;
++ grub_size_t sz;
+ err = grub_disk_read (disk, cursec, 0,
+ sizeof(vblk), &vblk);
+ if (err)
+@@ -350,7 +352,13 @@ make_vg (grub_disk_t disk,
+ grub_free (lv);
+ goto fail2;
+ }
+- lv->name = grub_malloc (*ptr + 1);
++ if (grub_add (*ptr, 1, &sz))
++ {
++ grub_free (lv->internal_id);
++ grub_free (lv);
++ goto fail2;
++ }
++ lv->name = grub_malloc (sz);
+ if (!lv->name)
+ {
+ grub_free (lv->internal_id);
+@@ -599,10 +607,13 @@ make_vg (grub_disk_t disk,
+ if (lv->segments->node_alloc == lv->segments->node_count)
+ {
+ void *t;
+- lv->segments->node_alloc *= 2;
+- t = grub_realloc (lv->segments->nodes,
+- sizeof (*lv->segments->nodes)
+- * lv->segments->node_alloc);
++ grub_size_t sz;
++
++ if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
++ grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
++ goto fail2;
++
++ t = grub_realloc (lv->segments->nodes, sz);
+ if (!t)
+ goto fail2;
+ lv->segments->nodes = t;
+@@ -723,10 +734,13 @@ make_vg (grub_disk_t disk,
+ if (comp->segment_alloc == comp->segment_count)
+ {
+ void *t;
+- comp->segment_alloc *= 2;
+- t = grub_realloc (comp->segments,
+- comp->segment_alloc
+- * sizeof (*comp->segments));
++ grub_size_t sz;
++
++ if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) ||
++ grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz))
++ goto fail2;
++
++ t = grub_realloc (comp->segments, sz);
+ if (!t)
+ goto fail2;
+ comp->segments = t;
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 8e118b3..5edb477 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -30,6 +30,7 @@
+ #include <grub/unicode.h>
+ #include <grub/fontformat.h>
+ #include <grub/env.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -360,9 +361,13 @@ static char *
+ read_section_as_string (struct font_file_section *section)
+ {
+ char *str;
++ grub_size_t sz;
+ grub_ssize_t ret;
+
+- str = grub_malloc (section->length + 1);
++ if (grub_add (section->length, 1, &sz))
++ return NULL;
++
++ str = grub_malloc (sz);
+ if (!str)
+ return 0;
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 11272ef..2b65bd5 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -40,6 +40,7 @@
+ #include <grub/btrfs.h>
+ #include <grub/crypto.h>
+ #include <grub/diskfilter.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -329,9 +330,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc,
+ if (desc->allocated < desc->depth)
+ {
+ void *newdata;
+- desc->allocated *= 2;
+- newdata = grub_realloc (desc->data, sizeof (desc->data[0])
+- * desc->allocated);
++ grub_size_t sz;
++
++ if (grub_mul (desc->allocated, 2, &desc->allocated) ||
++ grub_mul (desc->allocated, sizeof (desc->data[0]), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ newdata = grub_realloc (desc->data, sz);
+ if (!newdata)
+ return grub_errno;
+ desc->data = newdata;
+@@ -622,16 +627,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id)
+ if (data->n_devices_attached > data->n_devices_allocated)
+ {
+ void *tmp;
+- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
+- data->devices_attached
+- = grub_realloc (tmp = data->devices_attached,
+- data->n_devices_allocated
+- * sizeof (data->devices_attached[0]));
++ grub_size_t sz;
++
++ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
++ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
++ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
++ goto fail;
++
++ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
+ if (!data->devices_attached)
+ {
++ data->devices_attached = tmp;
++
++ fail:
+ if (ctx.dev_found)
+ grub_device_close (ctx.dev_found);
+- data->devices_attached = tmp;
+ return NULL;
+ }
+ }
+diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
+index 9b38980..ac33bcd 100644
+--- a/grub-core/fs/ext2.c
++++ b/grub-core/fs/ext2.c
+@@ -46,6 +46,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
+ {
+ char *symlink;
+ struct grub_fshelp_node *diro = node;
++ grub_size_t sz;
+
+ if (! diro->inode_read)
+ {
+@@ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
+ }
+ }
+
+- symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
++ if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ return NULL;
++ }
++
++ symlink = grub_malloc (sz);
+ if (! symlink)
+ return 0;
+
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 4f1b52a..7ba5b30 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -28,6 +28,7 @@
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx,
+ int len2)
+ {
+ int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
++ grub_size_t sz;
+
+- ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1);
++ if (grub_add (size, len2, &sz) ||
++ grub_add (sz, 1, &sz))
++ return;
++
++ ctx->symlink = grub_realloc (ctx->symlink, sz);
+ if (! ctx->symlink)
+ return;
+
+@@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
+ {
+ grub_size_t off = 0, csize = 1;
+ char *old;
++ grub_size_t sz;
++
+ csize = entry->len - 5;
+ old = ctx->filename;
+ if (ctx->filename_alloc)
+ {
+ off = grub_strlen (ctx->filename);
+- ctx->filename = grub_realloc (ctx->filename, csize + off + 1);
++ if (grub_add (csize, off, &sz) ||
++ grub_add (sz, 1, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++ ctx->filename = grub_realloc (ctx->filename, sz);
+ }
+ else
+ {
+ off = 0;
+- ctx->filename = grub_zalloc (csize + 1);
++ if (grub_add (csize, 1, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++ ctx->filename = grub_zalloc (sz);
+ }
+ if (!ctx->filename)
+ {
+@@ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
+ if (node->have_dirents >= node->alloc_dirents)
+ {
+ struct grub_fshelp_node *new_node;
+- node->alloc_dirents *= 2;
+- new_node = grub_realloc (node,
+- sizeof (struct grub_fshelp_node)
+- + ((node->alloc_dirents
+- - ARRAY_SIZE (node->dirents))
+- * sizeof (node->dirents[0])));
++ grub_size_t sz;
++
++ if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) ||
++ grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
++ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
++ grub_add (sz, sizeof (struct grub_fshelp_node), &sz))
++ goto fail_0;
++
++ new_node = grub_realloc (node, sz);
+ if (!new_node)
+ {
++ fail_0:
+ if (ctx.filename_alloc)
+ grub_free (ctx.filename);
+ grub_free (node);
+@@ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
+ * sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1)
+ {
+ struct grub_fshelp_node *new_node;
+- new_node = grub_realloc (node,
+- sizeof (struct grub_fshelp_node)
+- + ((node->alloc_dirents
+- - ARRAY_SIZE (node->dirents))
+- * sizeof (node->dirents[0]))
+- + grub_strlen (ctx.symlink) + 1);
++ grub_size_t sz;
++
++ if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
++ grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
++ grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) ||
++ grub_add (sz, grub_strlen (ctx.symlink), &sz))
++ goto fail_1;
++
++ new_node = grub_realloc (node, sz);
+ if (!new_node)
+ {
++ fail_1:
+ if (ctx.filename_alloc)
+ grub_free (ctx.filename);
+ grub_free (node);
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 90f7fb3..de2b107 100644
+--- a/grub-core/fs/sfs.c
++++ b/grub-core/fs/sfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+ if (node->cache && node->cache_size >= node->cache_allocated)
+ {
+ struct cache_entry *e = node->cache;
+- e = grub_realloc (node->cache,node->cache_allocated * 2
+- * sizeof (e[0]));
++ grub_size_t sz;
++
++ if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz))
++ goto fail;
++
++ e = grub_realloc (node->cache, sz);
+ if (!e)
+ {
++ fail:
+ grub_errno = 0;
+ grub_free (node->cache);
+ node->cache = 0;
+@@ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node,
+ grub_size_t len = grub_strlen (name);
+ grub_uint8_t *name_u8;
+ int ret;
++ grub_size_t sz;
++
++ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
++ grub_add (sz, 1, &sz))
++ return 1;
++
+ *node = grub_malloc (sizeof (**node));
+ if (!*node)
+ return 1;
+- name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++ name_u8 = grub_malloc (sz);
+ if (!name_u8)
+ {
+ grub_free (*node);
+@@ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label)
+ data = grub_sfs_mount (disk);
+ if (data)
+ {
+- grub_size_t len = grub_strlen (data->label);
+- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++ grub_size_t sz, len = grub_strlen (data->label);
++
++ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
++ grub_add (sz, 1, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ *label = grub_malloc (sz);
+ if (*label)
+ *grub_latin1_to_utf8 ((grub_uint8_t *) *label,
+ (const grub_uint8_t *) data->label,
+diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
+index 95d5c1e..7851238 100644
+--- a/grub-core/fs/squash4.c
++++ b/grub-core/fs/squash4.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/deflate.h>
++#include <grub/safemath.h>
+ #include <minilzo.h>
+
+ #include "xz.h"
+@@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node)
+ {
+ char *ret;
+ grub_err_t err;
+- ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1);
++ grub_size_t sz;
++
++ if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ return NULL;
++ }
++
++ ret = grub_malloc (sz);
++ if (!ret)
++ return NULL;
+
+ err = read_chunk (node->data, ret,
+ grub_le_to_cpu32 (node->ino.symlink.namelen),
+@@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+
+ {
+ grub_fshelp_node_t node;
+- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_size_t sz;
++
++ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
++ grub_add (sz, sizeof (*node), &sz))
++ return 0;
++
++ node = grub_malloc (sz);
+ if (!node)
+ return 0;
+- grub_memcpy (node, dir,
+- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_memcpy (node, dir, sz);
+ if (hook (".", GRUB_FSHELP_DIR, node, hook_data))
+ return 1;
+
+@@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ {
+ grub_err_t err;
+
+- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
++ grub_add (sz, sizeof (*node), &sz))
++ return 0;
++
++ node = grub_malloc (sz);
+ if (!node)
+ return 0;
+
+- grub_memcpy (node, dir,
+- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_memcpy (node, dir, sz);
+
+ node->stsize--;
+ err = read_chunk (dir->data, &node->ino, sizeof (node->ino),
+@@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG;
+ struct grub_squash_dirent di;
+ struct grub_squash_inode ino;
++ grub_size_t sz;
+
+ err = read_chunk (dir->data, &di, sizeof (di),
+ grub_le_to_cpu64 (dir->data->sb.diroffset)
+@@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK)
+ filetype = GRUB_FSHELP_SYMLINK;
+
+- node = grub_malloc (sizeof (*node)
+- + (dir->stsize + 1) * sizeof (dir->stack[0]));
++ if (grub_add (dir->stsize, 1, &sz) ||
++ grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
++ grub_add (sz, sizeof (*node), &sz))
++ return 0;
++
++ node = grub_malloc (sz);
+ if (! node)
+ return 0;
+
+- grub_memcpy (node, dir,
+- sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++ grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
+
+ node->ino = ino;
+ node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk);
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index a837616..21ac7f4 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -28,6 +28,7 @@
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
+ #include <grub/udf.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
+ utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2];
+ }
+ if (!outbuf)
+- outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1);
++ {
++ grub_size_t size;
++
++ if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) ||
++ grub_add (size, 1, &size))
++ goto fail;
++
++ outbuf = grub_malloc (size);
++ }
+ if (outbuf)
+ *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0';
++
++ fail:
+ grub_free (utf16);
+ return outbuf;
+ }
+@@ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ grub_size_t sz = U64 (node->block.fe.file_size);
+ grub_uint8_t *raw;
+ const grub_uint8_t *ptr;
+- char *out, *optr;
++ char *out = NULL, *optr;
+
+ if (sz < 4)
+ return NULL;
+@@ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ if (!raw)
+ return NULL;
+ if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0)
+- {
+- grub_free (raw);
+- return NULL;
+- }
++ goto fail_1;
+
+- out = grub_malloc (sz * 2 + 1);
++ if (grub_mul (sz, 2, &sz) ||
++ grub_add (sz, 1, &sz))
++ goto fail_0;
++
++ out = grub_malloc (sz);
+ if (!out)
+ {
++ fail_0:
+ grub_free (raw);
+ return NULL;
+ }
+@@ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ {
+ grub_size_t s;
+ if ((grub_size_t) (ptr - raw + 4) > sz)
+- goto fail;
++ goto fail_1;
+ if (!(ptr[2] == 0 && ptr[3] == 0))
+- goto fail;
++ goto fail_1;
+ s = 4 + ptr[1];
+ if ((grub_size_t) (ptr - raw + s) > sz)
+- goto fail;
++ goto fail_1;
+ switch (*ptr)
+ {
+ case 1:
+ if (ptr[1])
+- goto fail;
++ goto fail_1;
+ /* Fallthrough. */
+ case 2:
+ /* in 4 bytes. out: 1 byte. */
+@@ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ if (optr != out)
+ *optr++ = '/';
+ if (!read_string (ptr + 4, s - 4, optr))
+- goto fail;
++ goto fail_1;
+ optr += grub_strlen (optr);
+ break;
+ default:
+- goto fail;
++ goto fail_1;
+ }
+ ptr += s;
+ }
+@@ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ grub_free (raw);
+ return out;
+
+- fail:
++ fail_1:
+ grub_free (raw);
+ grub_free (out);
+ grub_error (GRUB_ERR_BAD_FS, "invalid symlink");
+diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
+index 96ffecb..ea65902 100644
+--- a/grub-core/fs/xfs.c
++++ b/grub-core/fs/xfs.c
+@@ -25,6 +25,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -899,6 +900,7 @@ static struct grub_xfs_data *
+ grub_xfs_mount (grub_disk_t disk)
+ {
+ struct grub_xfs_data *data = 0;
++ grub_size_t sz;
+
+ data = grub_zalloc (sizeof (struct grub_xfs_data));
+ if (!data)
+@@ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk)
+ if (!grub_xfs_sb_valid(data))
+ goto fail;
+
+- data = grub_realloc (data,
+- sizeof (struct grub_xfs_data)
+- - sizeof (struct grub_xfs_inode)
+- + grub_xfs_inode_size(data) + 1);
++ if (grub_add (grub_xfs_inode_size (data),
++ sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz))
++ goto fail;
++
++ data = grub_realloc (data, sz);
+
+ if (! data)
+ goto fail;
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 381dde5..36d0373 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -55,6 +55,7 @@
+ #include <grub/deflate.h>
+ #include <grub/crypto.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -773,11 +774,14 @@ fill_vdev_info (struct grub_zfs_data *data,
+ if (data->n_devices_attached > data->n_devices_allocated)
+ {
+ void *tmp;
+- data->n_devices_allocated = 2 * data->n_devices_attached + 1;
+- data->devices_attached
+- = grub_realloc (tmp = data->devices_attached,
+- data->n_devices_allocated
+- * sizeof (data->devices_attached[0]));
++ grub_size_t sz;
++
++ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
++ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
++ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
+ if (!data->devices_attached)
+ {
+ data->devices_attached = tmp;
+@@ -3468,14 +3472,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name)
+ {
+ char *nvpair;
+ char *ret;
+- grub_size_t size;
++ grub_size_t size, sz;
+ int found;
+
+ found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair,
+ &size, 0);
+ if (!found)
+ return 0;
+- ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t));
++
++ if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz))
++ return 0;
++
++ ret = grub_zalloc (sz);
+ if (!ret)
+ return 0;
+ grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));
+diff --git a/grub-core/fs/zfs/zfscrypt.c b/grub-core/fs/zfs/zfscrypt.c
+index 1402e0b..de3b015 100644
+--- a/grub-core/fs/zfs/zfscrypt.c
++++ b/grub-core/fs/zfs/zfscrypt.c
+@@ -22,6 +22,7 @@
+ #include <grub/misc.h>
+ #include <grub/disk.h>
+ #include <grub/partition.h>
++#include <grub/safemath.h>
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/zfs/zfs.h>
+@@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in,
+ int passphrase)
+ {
+ struct grub_zfs_wrap_key *key;
++ grub_size_t sz;
++
+ if (!passphrase && keylen > 32)
+ keylen = 32;
+- key = grub_malloc (sizeof (*key) + keylen);
++ if (grub_add (sizeof (*key), keylen, &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++ key = grub_malloc (sz);
+ if (!key)
+ return grub_errno;
+ key->is_passphrase = passphrase;
+diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
+index fd7744a..3288609 100644
+--- a/grub-core/lib/arg.c
++++ b/grub-core/lib/arg.c
+@@ -23,6 +23,7 @@
+ #include <grub/term.h>
+ #include <grub/extcmd.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ /* Built-in parser for default options. */
+ static const struct grub_arg_option help_options[] =
+@@ -216,7 +217,13 @@ static inline grub_err_t
+ add_arg (char ***argl, int *num, char *s)
+ {
+ char **p = *argl;
+- *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *));
++ grub_size_t sz;
++
++ if (grub_add (++(*num), 1, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++ *argl = grub_realloc (*argl, sz);
+ if (! *argl)
+ {
+ grub_free (p);
+@@ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
+ grub_size_t argcnt;
+ struct grub_arg_list *list;
+ const struct grub_arg_option *options;
++ grub_size_t sz0, sz1;
+
+ options = extcmd->options;
+ if (! options)
+@@ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
+ argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */
+ }
+
+- list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt);
++ if (grub_mul (sizeof (*list), i, &sz0) ||
++ grub_mul (sizeof (char *), argcnt, &sz1) ||
++ grub_add (sz0, sz1, &sz0))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ return 0;
++ }
++
++ list = grub_zalloc (sz0);
+ if (! list)
+ return 0;
+
+diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
+index 3730ed3..b92cbe9 100644
+--- a/grub-core/loader/i386/bsd.c
++++ b/grub-core/loader/i386/bsd.c
+@@ -35,6 +35,7 @@
+ #include <grub/ns8250.h>
+ #include <grub/bsdlabel.h>
+ #include <grub/crypto.h>
++#include <grub/safemath.h>
+ #include <grub/verify.h>
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/int.h>
+@@ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void)
+ struct grub_netbsd_btinfo_modules *mods;
+ unsigned i;
+ grub_err_t err;
++ grub_size_t sz;
+
+ for (mod = netbsd_mods; mod; mod = mod->next)
+ modcnt++;
+
+- mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt);
++ if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) ||
++ grub_add (sz, sizeof (*mods), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ mods = grub_malloc (sz);
+ if (!mods)
+ return grub_errno;
+
+diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
+index e332d5e..906ec7d 100644
+--- a/grub-core/net/dns.c
++++ b/grub-core/net/dns.c
+@@ -22,6 +22,7 @@
+ #include <grub/i18n.h>
+ #include <grub/err.h>
+ #include <grub/time.h>
++#include <grub/safemath.h>
+
+ struct dns_cache_element
+ {
+@@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s)
+ {
+ int na = dns_servers_alloc * 2;
+ struct grub_net_network_level_address *ns;
++ grub_size_t sz;
++
+ if (na < 8)
+ na = 8;
+- ns = grub_realloc (dns_servers, na * sizeof (ns[0]));
++
++ if (grub_mul (na, sizeof (ns[0]), &sz))
++ return GRUB_ERR_OUT_OF_RANGE;
++
++ ns = grub_realloc (dns_servers, sz);
+ if (!ns)
+ return grub_errno;
+ dns_servers_alloc = na;
+diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
+index d57fb72..4dfcc31 100644
+--- a/grub-core/normal/charset.c
++++ b/grub-core/normal/charset.c
+@@ -48,6 +48,7 @@
+ #include <grub/unicode.h>
+ #include <grub/term.h>
+ #include <grub/normal.h>
++#include <grub/safemath.h>
+
+ #if HAVE_FONT_SOURCE
+ #include "widthspec.h"
+@@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ {
+ struct grub_unicode_combining *n;
+ unsigned j;
++ grub_size_t sz;
+
+ if (!haveout)
+ continue;
+@@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ n = out->combining_inline;
+ else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline))
+ {
+- n = grub_realloc (out->combining_ptr,
+- sizeof (n[0]) * (out->ncomb + 1));
++ if (grub_add (out->ncomb, 1, &sz) ||
++ grub_mul (sz, sizeof (n[0]), &sz))
++ goto fail;
++
++ n = grub_realloc (out->combining_ptr, sz);
+ if (!n)
+ {
++ fail:
+ grub_errno = GRUB_ERR_NONE;
+ continue;
+ }
+diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
+index c57242e..de03fe6 100644
+--- a/grub-core/normal/cmdline.c
++++ b/grub-core/normal/cmdline.c
+@@ -28,6 +28,7 @@
+ #include <grub/env.h>
+ #include <grub/i18n.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+
+ static grub_uint32_t *kill_buf;
+
+@@ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms,
+ if (len + (*llen) >= (*max_len))
+ {
+ grub_uint32_t *nbuf;
+- (*max_len) *= 2;
+- nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len));
++ grub_size_t sz;
++
++ if (grub_mul (*max_len, 2, max_len) ||
++ grub_mul (*max_len, sizeof (grub_uint32_t), &sz))
++ {
++ grub_errno = GRUB_ERR_OUT_OF_RANGE;
++ goto fail;
++ }
++
++ nbuf = grub_realloc ((*buf), sz);
+ if (nbuf)
+ (*buf) = nbuf;
+ else
+ {
++ fail:
+ grub_print_error ();
+ grub_errno = GRUB_ERR_NONE;
+ (*max_len) /= 2;
+diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
+index 1993995..50eef91 100644
+--- a/grub-core/normal/menu_entry.c
++++ b/grub-core/normal/menu_entry.c
+@@ -27,6 +27,7 @@
+ #include <grub/auth.h>
+ #include <grub/i18n.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+
+ enum update_mode
+ {
+@@ -113,10 +114,18 @@ ensure_space (struct line *linep, int extra)
+ {
+ if (linep->max_len < linep->len + extra)
+ {
+- linep->max_len = 2 * (linep->len + extra);
+- linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0]));
++ grub_size_t sz0, sz1;
++
++ if (grub_add (linep->len, extra, &sz0) ||
++ grub_mul (sz0, 2, &sz0) ||
++ grub_add (sz0, 1, &sz1) ||
++ grub_mul (sz1, sizeof (linep->buf[0]), &sz1))
++ return 0;
++
++ linep->buf = grub_realloc (linep->buf, sz1);
+ if (! linep->buf)
+ return 0;
++ linep->max_len = sz0;
+ }
+
+ return 1;
+diff --git a/grub-core/script/argv.c b/grub-core/script/argv.c
+index 217ec5d..5751fdd 100644
+--- a/grub-core/script/argv.c
++++ b/grub-core/script/argv.c
+@@ -20,6 +20,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/script_sh.h>
++#include <grub/safemath.h>
+
+ /* Return nearest power of two that is >= v. */
+ static unsigned
+@@ -81,11 +82,16 @@ int
+ grub_script_argv_next (struct grub_script_argv *argv)
+ {
+ char **p = argv->args;
++ grub_size_t sz;
+
+ if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0)
+ return 0;
+
+- p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *)));
++ if (grub_add (argv->argc, 2, &sz) ||
++ grub_mul (sz, sizeof (char *), &sz))
++ return 1;
++
++ p = grub_realloc (p, round_up_exp (sz));
+ if (! p)
+ return 1;
+
+@@ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s,
+ {
+ grub_size_t a;
+ char *p = argv->args[argv->argc - 1];
++ grub_size_t sz;
+
+ if (! s)
+ return 0;
+
+ a = p ? grub_strlen (p) : 0;
+
+- p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char)));
++ if (grub_add (a, slen, &sz) ||
++ grub_add (sz, 1, &sz) ||
++ grub_mul (sz, sizeof (char), &sz))
++ return 1;
++
++ p = grub_realloc (p, round_up_exp (sz));
+ if (! p)
+ return 1;
+
+diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c
+index c6bd317..5fb0cbd 100644
+--- a/grub-core/script/lexer.c
++++ b/grub-core/script/lexer.c
+@@ -24,6 +24,7 @@
+ #include <grub/mm.h>
+ #include <grub/script_sh.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ #define yytext_ptr char *
+ #include "grub_script.tab.h"
+@@ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str)
+ old = lexer->recording;
+ if (lexer->recordlen < len)
+ lexer->recordlen = len;
+- lexer->recordlen *= 2;
++
++ if (grub_mul (lexer->recordlen, 2, &lexer->recordlen))
++ goto fail;
++
+ lexer->recording = grub_realloc (lexer->recording, lexer->recordlen);
+ if (!lexer->recording)
+ {
++ fail:
+ grub_free (old);
+ lexer->recordpos = 0;
+ lexer->recordlen = 0;
+@@ -130,7 +135,7 @@ int
+ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
+ const char *input)
+ {
+- grub_size_t len = 0;
++ grub_size_t len = 0, sz;
+ char *p = 0;
+ char *line = 0;
+ YY_BUFFER_STATE buffer;
+@@ -168,12 +173,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
+ }
+ else if (len && line[len - 1] != '\n')
+ {
+- p = grub_realloc (line, len + 2);
++ if (grub_add (len, 2, &sz))
++ {
++ grub_free (line);
++ grub_script_yyerror (parserstate, N_("overflow is detected"));
++ return 1;
++ }
++
++ p = grub_realloc (line, sz);
+ if (p)
+ {
+ p[len++] = '\n';
+ p[len] = '\0';
+ }
++ else
++ grub_free (line);
++
+ line = p;
+ }
+
+diff --git a/grub-core/video/bitmap.c b/grub-core/video/bitmap.c
+index b2e0315..6256e20 100644
+--- a/grub-core/video/bitmap.c
++++ b/grub-core/video/bitmap.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
+ enum grub_video_blit_format blit_format)
+ {
+ struct grub_video_mode_info *mode_info;
+- unsigned int size;
++ grub_size_t size;
+
+ if (!bitmap)
+ return grub_error (GRUB_ERR_BUG, "invalid argument");
+@@ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
+
+ mode_info->pitch = width * mode_info->bytes_per_pixel;
+
+- /* Calculate size needed for the data. */
+- size = (width * mode_info->bytes_per_pixel) * height;
++ /* Calculate size needed for the data. */
++ if (grub_mul (width, mode_info->bytes_per_pixel, &size) ||
++ grub_mul (size, height, &size))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ goto fail;
++ }
+
+ (*bitmap)->data = grub_zalloc (size);
+ if (! (*bitmap)->data)
+- {
+- grub_free (*bitmap);
+- *bitmap = 0;
+-
+- return grub_errno;
+- }
++ goto fail;
+
+ return GRUB_ERR_NONE;
++
++ fail:
++ grub_free (*bitmap);
++ *bitmap = NULL;
++
++ return grub_errno;
+ }
+
+ /* Frees all resources allocated by bitmap. */
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 61bd645..0157ff7 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/bufio.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ data->bpp <<= 1;
+
+ data->color_bits = color_bits;
+- data->row_bytes = data->image_width * data->bpp;
++
++ if (grub_mul (data->image_width, data->bpp, &data->row_bytes))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
+ if (data->color_bits <= 4)
+- data->row_bytes = (data->image_width * data->color_bits + 7) / 8;
++ {
++ if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++ data->row_bytes >>= 3;
++ }
+
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+ if (data->is_16bit || data->is_gray || data->is_palette)
+--
+2.14.4
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch
new file mode 100644
index 0000000000..08e7666cde
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch
@@ -0,0 +1,76 @@
+From 0d237c0b90f0c6d4a3662c569b2371ae3ed69574 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:41 +0200
+Subject: [PATCH] acpi: Don't register the acpi command when locked down
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The command is not allowed when lockdown is enforced. Otherwise an
+attacker can instruct the GRUB to load an SSDT table to overwrite
+the kernel lockdown configuration and later load and execute
+unsigned code.
+
+Fixes: CVE-2020-14372
+
+Reported-by: Máté Kukri <km@mkukri.xyz>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e8e4c0549240fa209acffceb473e1e509b50c95]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi | 5 +++++
+ grub-core/commands/acpi.c | 15 ++++++++-------
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 0786427..47ac7ff 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer
+ (RSDP) in the Extended BIOS Data Area to point to the new tables. If the
+ @option{--no-ebda} option is used, the new tables will be known only to
+ GRUB, but may be used by GRUB's EFI emulation.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++ Otherwise an attacker can instruct the GRUB to load an SSDT table to
++ overwrite the kernel lockdown configuration and later load and execute
++ unsigned code.
+ @end deffn
+
+
+diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
+index 5a1499a..1215f2a 100644
+--- a/grub-core/commands/acpi.c
++++ b/grub-core/commands/acpi.c
+@@ -27,6 +27,7 @@
+ #include <grub/mm.h>
+ #include <grub/memory.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+
+ #ifdef GRUB_MACHINE_EFI
+ #include <grub/efi/efi.h>
+@@ -775,13 +776,13 @@ static grub_extcmd_t cmd;
+
+ GRUB_MOD_INIT(acpi)
+ {
+- cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0,
+- N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
+- "--load-only=TABLE1,TABLE2] FILE1"
+- " [FILE2] [...]"),
+- N_("Load host ACPI tables and tables "
+- "specified by arguments."),
+- options);
++ cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0,
++ N_("[-1|-2] [--exclude=TABLE1,TABLE2|"
++ "--load-only=TABLE1,TABLE2] FILE1"
++ " [FILE2] [...]"),
++ N_("Load host ACPI tables and tables "
++ "specified by arguments."),
++ options);
+ }
+
+ GRUB_MOD_FINI(acpi)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch
new file mode 100644
index 0000000000..745f335501
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch
@@ -0,0 +1,130 @@
+From fe7a13df6200bda934fcc0246458df249f1ef4f2 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Wed, 23 Sep 2020 11:33:33 -0400
+Subject: [PATCH] verifiers: Move verifiers API to kernel image
+
+Move verifiers API from a module to the kernel image, so it can be
+used there as well. There are no functional changes in this patch.
+
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9e95f45ceeef36fcf93cbfffcf004276883dbc99]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/Makefile.am | 1 +
+ grub-core/Makefile.core.def | 6 +-----
+ grub-core/kern/main.c | 4 ++++
+ grub-core/{commands => kern}/verifiers.c | 8 ++------
+ include/grub/verify.h | 9 ++++++---
+ 5 files changed, 14 insertions(+), 14 deletions(-)
+ rename grub-core/{commands => kern}/verifiers.c (97%)
+
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index 3ea8e7f..375c30d 100644
+--- a/grub-core/Makefile.am
++++ b/grub-core/Makefile.am
+@@ -90,6 +90,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 474a63e..cff02f2 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -140,6 +140,7 @@ kernel = {
+ common = kern/rescue_parser.c;
+ common = kern/rescue_reader.c;
+ common = kern/term.c;
++ common = kern/verifiers.c;
+
+ noemu = kern/compiler-rt.c;
+ noemu = kern/mm.c;
+@@ -942,11 +943,6 @@ module = {
+ cppflags = '-I$(srcdir)/lib/posix_wrap';
+ };
+
+-module = {
+- name = verifiers;
+- common = commands/verifiers.c;
+-};
+-
+ module = {
+ name = shim_lock;
+ common = commands/efi/shim_lock.c;
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index 9cad0c4..73967e2 100644
+--- a/grub-core/kern/main.c
++++ b/grub-core/kern/main.c
+@@ -29,6 +29,7 @@
+ #include <grub/command.h>
+ #include <grub/reader.h>
+ #include <grub/parser.h>
++#include <grub/verify.h>
+
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/memory.h>
+@@ -274,6 +275,9 @@ grub_main (void)
+ grub_printf ("Welcome to GRUB!\n\n");
+ grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
+
++ /* Init verifiers API. */
++ grub_verifiers_init ();
++
+ grub_load_config ();
+
+ grub_boot_time ("Before loading embedded modules.");
+diff --git a/grub-core/commands/verifiers.c b/grub-core/kern/verifiers.c
+similarity index 97%
+rename from grub-core/commands/verifiers.c
+rename to grub-core/kern/verifiers.c
+index 0dde481..aa3dc7c 100644
+--- a/grub-core/commands/verifiers.c
++++ b/grub-core/kern/verifiers.c
+@@ -217,12 +217,8 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
+ return GRUB_ERR_NONE;
+ }
+
+-GRUB_MOD_INIT(verifiers)
++void
++grub_verifiers_init (void)
+ {
+ grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
+ }
+-
+-GRUB_MOD_FINI(verifiers)
+-{
+- grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
+-}
+diff --git a/include/grub/verify.h b/include/grub/verify.h
+index ea04914..cd129c3 100644
+--- a/include/grub/verify.h
++++ b/include/grub/verify.h
+@@ -64,7 +64,10 @@ struct grub_file_verifier
+ grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type);
+ };
+
+-extern struct grub_file_verifier *grub_file_verifiers;
++extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers);
++
++extern void
++grub_verifiers_init (void);
+
+ static inline void
+ grub_verifier_register (struct grub_file_verifier *ver)
+@@ -78,7 +81,7 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
+ grub_list_remove (GRUB_AS_LIST (ver));
+ }
+
+-grub_err_t
+-grub_verify_string (char *str, enum grub_verify_string_type type);
++extern grub_err_t
++EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type);
+
+ #endif /* ! GRUB_VERIFY_HEADER */
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch
new file mode 100644
index 0000000000..a98b5d0455
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch
@@ -0,0 +1,431 @@
+From d8aac4517fef0f0188a60a2a8ff9cafdd9c7ca42 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:02 +0200
+Subject: [PATCH] kern: Add lockdown support
+
+When the GRUB starts on a secure boot platform, some commands can be
+used to subvert the protections provided by the verification mechanism and
+could lead to booting untrusted system.
+
+To prevent that situation, allow GRUB to be locked down. That way the code
+may check if GRUB has been locked down and further restrict the commands
+that are registered or what subset of their functionality could be used.
+
+The lockdown support adds the following components:
+
+* The grub_lockdown() function which can be used to lockdown GRUB if,
+ e.g., UEFI Secure Boot is enabled.
+
+* The grub_is_lockdown() function which can be used to check if the GRUB
+ was locked down.
+
+* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
+ tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
+ verifiers. These files are only successfully verified if another registered
+ verifier returns success. Otherwise, the whole verification process fails.
+
+ For example, PE/COFF binaries verification can be done by the shim_lock
+ verifier which validates the signatures using the shim_lock protocol.
+ However, the verification is not deferred directly to the shim_lock verifier.
+ The shim_lock verifier is hooked into the verification process instead.
+
+* A set of grub_{command,extcmd}_lockdown functions that can be used by
+ code registering command handlers, to only register unsafe commands if
+ the GRUB has not been locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.common | 2 +
+ docs/grub-dev.texi | 27 +++++++++++++
+ docs/grub.texi | 8 ++++
+ grub-core/Makefile.am | 5 ++-
+ grub-core/Makefile.core.def | 1 +
+ grub-core/commands/extcmd.c | 23 +++++++++++
+ grub-core/kern/command.c | 24 +++++++++++
+ grub-core/kern/lockdown.c | 80 +++++++++++++++++++++++++++++++++++++
+ include/grub/command.h | 5 +++
+ include/grub/extcmd.h | 7 ++++
+ include/grub/lockdown.h | 44 ++++++++++++++++++++
+ 11 files changed, 225 insertions(+), 1 deletion(-)
+ create mode 100644 grub-core/kern/lockdown.c
+ create mode 100644 include/grub/lockdown.h
+
+diff --git a/conf/Makefile.common b/conf/Makefile.common
+index 6cd71cb..2a1a886 100644
+--- a/conf/Makefile.common
++++ b/conf/Makefile.common
+@@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
+ CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
++CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
++CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
+diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
+index ee389fd..635ec72 100644
+--- a/docs/grub-dev.texi
++++ b/docs/grub-dev.texi
+@@ -86,6 +86,7 @@ This edition documents version @value{VERSION}.
+ * PFF2 Font File Format::
+ * Graphical Menu Software Design::
+ * Verifiers framework::
++* Lockdown framework::
+ * Copying This Manual:: Copying This Manual
+ * Index::
+ @end menu
+@@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just
+ the context. If you return no error during any of @samp{init}, @samp{write} and
+ @samp{fini} then the file is considered as having succeded verification.
+
++@node Lockdown framework
++@chapter Lockdown framework
++
++The GRUB can be locked down, which is a restricted mode where some operations
++are not allowed. For instance, some commands cannot be used when the GRUB is
++locked down.
++
++The function
++@code{grub_lockdown()} is used to lockdown GRUB and the function
++@code{grub_is_lockdown()} function can be used to check whether lockdown is
++enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
++and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
++
++The following functions can be used to register the commands that can only be
++used when lockdown is disabled:
++
++@itemize
++
++@item @code{grub_cmd_lockdown()} registers command which should not run when the
++GRUB is in lockdown mode.
++
++@item @code{grub_cmd_lockdown()} registers extended command which should not run
++when the GRUB is in lockdown mode.
++
++@end itemize
++
+ @node Copying This Manual
+ @appendix Copying This Manual
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 8779507..d778bfb 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order.
+ * Using digital signatures:: Booting digitally signed code
+ * UEFI secure boot and shim:: Booting digitally signed PE files
+ * Measured Boot:: Measuring boot components
++* Lockdown:: Lockdown when booting on a secure setup
+ @end menu
+
+ @node Authentication and authorisation
+@@ -5794,6 +5795,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between
+
+ Measured boot is currently only supported on EFI platforms.
+
++@node Lockdown
++@section Lockdown when booting on a secure setup
++
++The GRUB can be locked down when booted on a secure boot environment, for example
++if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
++be restricted and some operations/commands cannot be executed.
++
+ @node Platform limitations
+ @chapter Platform limitations
+
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index 375c30d..3096241 100644
+--- a/grub-core/Makefile.am
++++ b/grub-core/Makefile.am
+@@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
+ if COND_emu
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
+@@ -376,8 +377,10 @@ command.lst: $(MARKER_FILES)
+ b=`basename $$pp .marker`; \
+ sed -n \
+ -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
++ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+ -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
++ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
++ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+ done) | sort -u > $@
+ platform_DATA += command.lst
+ CLEANFILES += command.lst
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index cff02f2..651ea2a 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -204,6 +204,7 @@ kernel = {
+ efi = term/efi/console.c;
+ efi = kern/acpi.c;
+ efi = kern/efi/acpi.c;
++ efi = kern/lockdown.c;
+ i386_coreboot = kern/i386/pc/acpi.c;
+ i386_multiboot = kern/i386/pc/acpi.c;
+ i386_coreboot = kern/acpi.c;
+diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
+index 69574e2..90a5ca2 100644
+--- a/grub-core/commands/extcmd.c
++++ b/grub-core/commands/extcmd.c
+@@ -19,6 +19,7 @@
+
+ #include <grub/mm.h>
+ #include <grub/list.h>
++#include <grub/lockdown.h>
+ #include <grub/misc.h>
+ #include <grub/extcmd.h>
+ #include <grub/script_sh.h>
+@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
+ summary, description, parser, 1);
+ }
+
++static grub_err_t
++grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
++ int argc __attribute__ ((unused)),
++ char **argv __attribute__ ((unused)))
++{
++ return grub_error (GRUB_ERR_ACCESS_DENIED,
++ N_("%s: the command is not allowed when lockdown is enforced"),
++ ctxt->extcmd->cmd->name);
++}
++
++grub_extcmd_t
++grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
++ grub_command_flags_t flags, const char *summary,
++ const char *description,
++ const struct grub_arg_option *parser)
++{
++ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
++ func = grub_extcmd_lockdown;
++
++ return grub_register_extcmd (name, func, flags, summary, description, parser);
++}
++
+ void
+ grub_unregister_extcmd (grub_extcmd_t ext)
+ {
+diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c
+index acd7218..4aabcd4 100644
+--- a/grub-core/kern/command.c
++++ b/grub-core/kern/command.c
+@@ -17,6 +17,7 @@
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
++#include <grub/lockdown.h>
+ #include <grub/mm.h>
+ #include <grub/command.h>
+
+@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name,
+ return cmd;
+ }
+
++static grub_err_t
++grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)),
++ int argc __attribute__ ((unused)),
++ char **argv __attribute__ ((unused)))
++
++{
++ return grub_error (GRUB_ERR_ACCESS_DENIED,
++ N_("%s: the command is not allowed when lockdown is enforced"),
++ cmd->name);
++}
++
++grub_command_t
++grub_register_command_lockdown (const char *name,
++ grub_command_func_t func,
++ const char *summary,
++ const char *description)
++{
++ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
++ func = grub_cmd_lockdown;
++
++ return grub_register_command_prio (name, func, summary, description, 0);
++}
++
+ void
+ grub_unregister_command (grub_command_t cmd)
+ {
+diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
+new file mode 100644
+index 0000000..1e56c0b
+--- /dev/null
++++ b/grub-core/kern/lockdown.c
+@@ -0,0 +1,80 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2020 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ *
++ */
++
++#include <grub/dl.h>
++#include <grub/file.h>
++#include <grub/lockdown.h>
++#include <grub/verify.h>
++
++static int lockdown = GRUB_LOCKDOWN_DISABLED;
++
++static grub_err_t
++lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
++ enum grub_file_type type,
++ void **context __attribute__ ((unused)),
++ enum grub_verify_flags *flags)
++{
++ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
++
++ switch (type & GRUB_FILE_TYPE_MASK)
++ {
++ case GRUB_FILE_TYPE_GRUB_MODULE:
++ case GRUB_FILE_TYPE_LINUX_KERNEL:
++ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
++ case GRUB_FILE_TYPE_XEN_HYPERVISOR:
++ case GRUB_FILE_TYPE_BSD_KERNEL:
++ case GRUB_FILE_TYPE_XNU_KERNEL:
++ case GRUB_FILE_TYPE_PLAN9_KERNEL:
++ case GRUB_FILE_TYPE_NTLDR:
++ case GRUB_FILE_TYPE_TRUECRYPT:
++ case GRUB_FILE_TYPE_FREEDOS:
++ case GRUB_FILE_TYPE_PXECHAINLOADER:
++ case GRUB_FILE_TYPE_PCCHAINLOADER:
++ case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
++ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
++ case GRUB_FILE_TYPE_ACPI_TABLE:
++ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
++ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
++
++ /* Fall through. */
++
++ default:
++ return GRUB_ERR_NONE;
++ }
++}
++
++struct grub_file_verifier lockdown_verifier =
++ {
++ .name = "lockdown_verifier",
++ .init = lockdown_verifier_init,
++ };
++
++void
++grub_lockdown (void)
++{
++ lockdown = GRUB_LOCKDOWN_ENABLED;
++
++ grub_verifier_register (&lockdown_verifier);
++}
++
++int
++grub_is_lockdown (void)
++{
++ return lockdown;
++}
+diff --git a/include/grub/command.h b/include/grub/command.h
+index eee4e84..2a6f7f8 100644
+--- a/include/grub/command.h
++++ b/include/grub/command.h
+@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name,
+ const char *summary,
+ const char *description,
+ int prio);
++grub_command_t
++EXPORT_FUNC(grub_register_command_lockdown) (const char *name,
++ grub_command_func_t func,
++ const char *summary,
++ const char *description);
+ void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd);
+
+ static inline grub_command_t
+diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h
+index 19fe592..fe9248b 100644
+--- a/include/grub/extcmd.h
++++ b/include/grub/extcmd.h
+@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name,
+ const char *description,
+ const struct grub_arg_option *parser);
+
++grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name,
++ grub_extcmd_func_t func,
++ grub_command_flags_t flags,
++ const char *summary,
++ const char *description,
++ const struct grub_arg_option *parser);
++
+ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name,
+ grub_extcmd_func_t func,
+ grub_command_flags_t flags,
+diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
+new file mode 100644
+index 0000000..40531fa
+--- /dev/null
++++ b/include/grub/lockdown.h
+@@ -0,0 +1,44 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2020 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_LOCKDOWN_H
++#define GRUB_LOCKDOWN_H 1
++
++#include <grub/symbol.h>
++
++#define GRUB_LOCKDOWN_DISABLED 0
++#define GRUB_LOCKDOWN_ENABLED 1
++
++#ifdef GRUB_MACHINE_EFI
++extern void
++EXPORT_FUNC (grub_lockdown) (void);
++extern int
++EXPORT_FUNC (grub_is_lockdown) (void);
++#else
++static inline void
++grub_lockdown (void)
++{
++}
++
++static inline int
++grub_is_lockdown (void)
++{
++ return GRUB_LOCKDOWN_DISABLED;
++}
++#endif
++#endif /* ! GRUB_LOCKDOWN_H */
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch
new file mode 100644
index 0000000000..93fdd2cb1a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch
@@ -0,0 +1,57 @@
+From bfb9c44298aa202c176fef8dc5ea48f9b0e76e5e Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 2 Feb 2021 19:59:48 +0100
+Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down
+
+It may be useful for scripts to determine whether the GRUB is locked
+down or not. Add the lockdown variable which is set to "y" when the GRUB
+is locked down.
+
+Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d90367471779c240e002e62edfb6b31fc85b4908]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi | 3 +++
+ grub-core/kern/lockdown.c | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index d778bfb..5e6cace 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5802,6 +5802,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
+ if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
+ be restricted and some operations/commands cannot be executed.
+
++The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
++Otherwise it does not exit.
++
+ @node Platform limitations
+ @chapter Platform limitations
+
+diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
+index 1e56c0b..0bc70fd 100644
+--- a/grub-core/kern/lockdown.c
++++ b/grub-core/kern/lockdown.c
+@@ -18,6 +18,7 @@
+ */
+
+ #include <grub/dl.h>
++#include <grub/env.h>
+ #include <grub/file.h>
+ #include <grub/lockdown.h>
+ #include <grub/verify.h>
+@@ -71,6 +72,9 @@ grub_lockdown (void)
+ lockdown = GRUB_LOCKDOWN_ENABLED;
+
+ grub_verifier_register (&lockdown_verifier);
++
++ grub_env_set ("lockdown", "y");
++ grub_env_export ("lockdown");
+ }
+
+ int
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch
new file mode 100644
index 0000000000..ac509b63c7
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch
@@ -0,0 +1,52 @@
+From 0d809c0979ced9db4d0e500b3e812bba95e52972 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:29 +0200
+Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
+
+If the UEFI Secure Boot is enabled then the GRUB must be locked down
+to prevent executing code that can potentially be used to subvert its
+verification mechanisms.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=98b00a403cbf2ba6833d1ac0499871b27a08eb77]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/efi/init.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
+index 3dfdf2d..db84d82 100644
+--- a/grub-core/kern/efi/init.c
++++ b/grub-core/kern/efi/init.c
+@@ -20,6 +20,7 @@
+ #include <grub/efi/efi.h>
+ #include <grub/efi/console.h>
+ #include <grub/efi/disk.h>
++#include <grub/lockdown.h>
+ #include <grub/term.h>
+ #include <grub/misc.h>
+ #include <grub/env.h>
+@@ -39,6 +40,20 @@ grub_efi_init (void)
+ /* Initialize the memory management system. */
+ grub_efi_mm_init ();
+
++ /*
++ * Lockdown the GRUB and register the shim_lock verifier
++ * if the UEFI Secure Boot is enabled.
++ */
++ if (grub_efi_secure_boot ())
++ {
++ grub_lockdown ();
++ /* NOTE: Our version does not have the shim_lock_verifier,
++ * need to update below if added */
++#if 0
++ grub_shim_lock_verifier_setup ();
++#endif
++ }
++
+ efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
+ 0, 0, 0, NULL);
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch
new file mode 100644
index 0000000000..12ec4e1c17
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch
@@ -0,0 +1,158 @@
+From 1ad728b08ba2a21573e5f81a565114f74ca33988 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:33 +0200
+Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
+ modules list
+
+Now the GRUB can check if it has been locked down and this can be used to
+prevent executing commands that can be utilized to circumvent the UEFI
+Secure Boot mechanisms. So, instead of hardcoding a list of modules that
+have to be disabled, prevent the usage of commands that can be dangerous.
+
+This not only allows the commands to be disabled on other platforms, but
+also properly separate the concerns. Since the shim_lock verifier logic
+should be only about preventing to run untrusted binaries and not about
+defining these kind of policies.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8f73052885892bc0dbc01e297f79d7cf4925e491]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi | 10 ++++++++++
+ grub-core/commands/i386/wrmsr.c | 5 +++--
+ grub-core/commands/iorw.c | 19 ++++++++++---------
+ grub-core/commands/memrw.c | 19 ++++++++++---------
+ 4 files changed, 33 insertions(+), 20 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 5e6cace..0786427 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5256,6 +5256,9 @@ only applies to the particular cpu/core/thread that runs the command.
+ Also, if you specify a reserved or unimplemented MSR address, it will
+ cause a general protection exception (which is not currently being handled)
+ and the system will reboot.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++ This is done to prevent subverting various security mechanisms.
+ @end deffn
+
+ @node xen_hypervisor
+@@ -5758,6 +5761,13 @@ security reasons. All above mentioned requirements are enforced by the
+ shim_lock module. And itself it is a persistent module which means that
+ it cannot be unloaded if it was loaded into the memory.
+
++All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables,
++Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands
++that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw}
++and @command{memrw} will not be available when the UEFI secure boot is enabled.
++This is done for security reasons and are enforced by the GRUB Lockdown mechanism
++(@pxref{Lockdown}).
++
+ @node Measured Boot
+ @section Measuring boot components
+
+diff --git a/grub-core/commands/i386/wrmsr.c b/grub-core/commands/i386/wrmsr.c
+index 9c5e510..56a29c2 100644
+--- a/grub-core/commands/i386/wrmsr.c
++++ b/grub-core/commands/i386/wrmsr.c
+@@ -24,6 +24,7 @@
+ #include <grub/env.h>
+ #include <grub/command.h>
+ #include <grub/extcmd.h>
++#include <grub/lockdown.h>
+ #include <grub/i18n.h>
+ #include <grub/i386/cpuid.h>
+ #include <grub/i386/wrmsr.h>
+@@ -83,8 +84,8 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char
+
+ GRUB_MOD_INIT(wrmsr)
+ {
+- cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
+- N_("Write a value to a CPU model specific register."));
++ cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
++ N_("Write a value to a CPU model specific register."));
+ }
+
+ GRUB_MOD_FINI(wrmsr)
+diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
+index a0c164e..584baec 100644
+--- a/grub-core/commands/iorw.c
++++ b/grub-core/commands/iorw.c
+@@ -23,6 +23,7 @@
+ #include <grub/env.h>
+ #include <grub/cpu/io.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw)
+ N_("PORT"), N_("Read 32-bit value from PORT."),
+ options);
+ cmd_write_byte =
+- grub_register_command ("outb", grub_cmd_write,
+- N_("PORT VALUE [MASK]"),
+- N_("Write 8-bit VALUE to PORT."));
++ grub_register_command_lockdown ("outb", grub_cmd_write,
++ N_("PORT VALUE [MASK]"),
++ N_("Write 8-bit VALUE to PORT."));
+ cmd_write_word =
+- grub_register_command ("outw", grub_cmd_write,
+- N_("PORT VALUE [MASK]"),
+- N_("Write 16-bit VALUE to PORT."));
++ grub_register_command_lockdown ("outw", grub_cmd_write,
++ N_("PORT VALUE [MASK]"),
++ N_("Write 16-bit VALUE to PORT."));
+ cmd_write_dword =
+- grub_register_command ("outl", grub_cmd_write,
+- N_("ADDR VALUE [MASK]"),
+- N_("Write 32-bit VALUE to PORT."));
++ grub_register_command_lockdown ("outl", grub_cmd_write,
++ N_("ADDR VALUE [MASK]"),
++ N_("Write 32-bit VALUE to PORT."));
+ }
+
+ GRUB_MOD_FINI(memrw)
+diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
+index 98769ea..d401a6d 100644
+--- a/grub-core/commands/memrw.c
++++ b/grub-core/commands/memrw.c
+@@ -22,6 +22,7 @@
+ #include <grub/extcmd.h>
+ #include <grub/env.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -133,17 +134,17 @@ GRUB_MOD_INIT(memrw)
+ N_("ADDR"), N_("Read 32-bit value from ADDR."),
+ options);
+ cmd_write_byte =
+- grub_register_command ("write_byte", grub_cmd_write,
+- N_("ADDR VALUE [MASK]"),
+- N_("Write 8-bit VALUE to ADDR."));
++ grub_register_command_lockdown ("write_byte", grub_cmd_write,
++ N_("ADDR VALUE [MASK]"),
++ N_("Write 8-bit VALUE to ADDR."));
+ cmd_write_word =
+- grub_register_command ("write_word", grub_cmd_write,
+- N_("ADDR VALUE [MASK]"),
+- N_("Write 16-bit VALUE to ADDR."));
++ grub_register_command_lockdown ("write_word", grub_cmd_write,
++ N_("ADDR VALUE [MASK]"),
++ N_("Write 16-bit VALUE to ADDR."));
+ cmd_write_dword =
+- grub_register_command ("write_dword", grub_cmd_write,
+- N_("ADDR VALUE [MASK]"),
+- N_("Write 32-bit VALUE to ADDR."));
++ grub_register_command_lockdown ("write_dword", grub_cmd_write,
++ N_("ADDR VALUE [MASK]"),
++ N_("Write 32-bit VALUE to ADDR."));
+ }
+
+ GRUB_MOD_FINI(memrw)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch
new file mode 100644
index 0000000000..329e554a68
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-15706-script-Avoid-a-use-after-free-when-redefining-a-func.patch
@@ -0,0 +1,117 @@
+From c65fc7e75b7b7e880d90766057040011701e97f4 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 10 Jul 2020 14:41:45 +0100
+Subject: [PATCH 8/9] script: Avoid a use-after-free when redefining a function
+ during execution
+
+Defining a new function with the same name as a previously defined
+function causes the grub_script and associated resources for the
+previous function to be freed. If the previous function is currently
+executing when a function with the same name is defined, this results
+in use-after-frees when processing subsequent commands in the original
+function.
+
+Instead, reject a new function definition if it has the same name as
+a previously defined function, and that function is currently being
+executed. Although a behavioural change, this should be backwards
+compatible with existing configurations because they can't be
+dependent on the current behaviour without being broken.
+
+Fixes: CVE-2020-15706
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-15706
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=426f57383d647406ae9c628c472059c27cd6e040
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/script/execute.c | 2 ++
+ grub-core/script/function.c | 16 +++++++++++++---
+ grub-core/script/parser.y | 3 ++-
+ include/grub/script_sh.h | 2 ++
+ 4 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index c8d6806..7e028e1 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
+ old_scope = scope;
+ scope = &new_scope;
+
++ func->executing++;
+ ret = grub_script_execute (func->func);
++ func->executing--;
+
+ function_return = 0;
+ active_loops = loops;
+diff --git a/grub-core/script/function.c b/grub-core/script/function.c
+index d36655e..3aad04b 100644
+--- a/grub-core/script/function.c
++++ b/grub-core/script/function.c
+@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
+ func = (grub_script_function_t) grub_malloc (sizeof (*func));
+ if (! func)
+ return 0;
++ func->executing = 0;
+
+ func->name = grub_strdup (functionname_arg->str);
+ if (! func->name)
+@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
+ grub_script_function_t q;
+
+ q = *p;
+- grub_script_free (q->func);
+- q->func = cmd;
+ grub_free (func);
+- func = q;
++ if (q->executing > 0)
++ {
++ grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("attempt to redefine a function being executed"));
++ func = NULL;
++ }
++ else
++ {
++ grub_script_free (q->func);
++ q->func = cmd;
++ func = q;
++ }
+ }
+ else
+ {
+diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
+index 4f0ab83..f80b86b 100644
+--- a/grub-core/script/parser.y
++++ b/grub-core/script/parser.y
+@@ -289,7 +289,8 @@ function: "function" "name"
+ grub_script_mem_free (state->func_mem);
+ else {
+ script->children = state->scripts;
+- grub_script_function_create ($2, script);
++ if (!grub_script_function_create ($2, script))
++ grub_script_free (script);
+ }
+
+ state->scripts = $<scripts>3;
+diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
+index b382bcf..6c48e07 100644
+--- a/include/grub/script_sh.h
++++ b/include/grub/script_sh.h
+@@ -361,6 +361,8 @@ struct grub_script_function
+
+ /* The next element. */
+ struct grub_script_function *next;
++
++ unsigned executing;
+ };
+ typedef struct grub_script_function *grub_script_function_t;
+
+--
+2.14.4
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch b/meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch
new file mode 100644
index 0000000000..d4f9300c0a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-15707-linux-Fix-integer-overflows-in-initrd-size-handling.patch
@@ -0,0 +1,177 @@
+From 68a09a74f6d726d79709847f3671c0a08e4fb5a0 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sat, 25 Jul 2020 12:15:37 +0100
+Subject: [PATCH 9/9] linux: Fix integer overflows in initrd size handling
+
+These could be triggered by a crafted filesystem with very large files.
+
+Fixes: CVE-2020-15707
+
+Signed-off-by: Colin Watson <cjwatson@debian.org>
+Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-15707
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e7b8856f8be3292afdb38d2e8c70ad8d62a61e10
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 54 insertions(+), 20 deletions(-)
+
+diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
+index 471b214..8c8565a 100644
+--- a/grub-core/loader/linux.c
++++ b/grub-core/loader/linux.c
+@@ -4,6 +4,7 @@
+ #include <grub/misc.h>
+ #include <grub/file.h>
+ #include <grub/mm.h>
++#include <grub/safemath.h>
+
+ struct newc_head
+ {
+@@ -98,13 +99,13 @@ free_dir (struct dir *root)
+ grub_free (root);
+ }
+
+-static grub_size_t
++static grub_err_t
+ insert_dir (const char *name, struct dir **root,
+- grub_uint8_t *ptr)
++ grub_uint8_t *ptr, grub_size_t *size)
+ {
+ struct dir *cur, **head = root;
+ const char *cb, *ce = name;
+- grub_size_t size = 0;
++ *size = 0;
+ while (1)
+ {
+ for (cb = ce; *cb == '/'; cb++);
+@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root,
+ ptr = make_header (ptr, name, ce - name,
+ 040777, 0);
+ }
+- size += ALIGN_UP ((ce - (char *) name)
+- + sizeof (struct newc_head), 4);
++ if (grub_add (*size,
++ ALIGN_UP ((ce - (char *) name)
++ + sizeof (struct newc_head), 4),
++ size))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ grub_free (n->name);
++ grub_free (n);
++ return grub_errno;
++ }
+ *head = n;
+ cur = n;
+ }
+ root = &cur->next;
+ }
+- return size;
++ return GRUB_ERR_NONE;
+ }
+
+ grub_err_t
+@@ -173,26 +182,33 @@ grub_initrd_init (int argc, char *argv[],
+ eptr = grub_strchr (ptr, ':');
+ if (eptr)
+ {
++ grub_size_t dir_size, name_len;
++
+ initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
+- if (!initrd_ctx->components[i].newc_name)
++ if (!initrd_ctx->components[i].newc_name ||
++ insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
++ &dir_size))
+ {
+ grub_initrd_close (initrd_ctx);
+ return grub_errno;
+ }
+- initrd_ctx->size
+- += ALIGN_UP (sizeof (struct newc_head)
+- + grub_strlen (initrd_ctx->components[i].newc_name),
+- 4);
+- initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
+- &root, 0);
++ name_len = grub_strlen (initrd_ctx->components[i].newc_name);
++ if (grub_add (initrd_ctx->size,
++ ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
++ &initrd_ctx->size) ||
++ grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
++ goto overflow;
+ newc = 1;
+ fname = eptr + 1;
+ }
+ }
+ else if (newc)
+ {
+- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
+- + sizeof ("TRAILER!!!") - 1, 4);
++ if (grub_add (initrd_ctx->size,
++ ALIGN_UP (sizeof (struct newc_head)
++ + sizeof ("TRAILER!!!") - 1, 4),
++ &initrd_ctx->size))
++ goto overflow;
+ free_dir (root);
+ root = 0;
+ newc = 0;
+@@ -208,19 +224,29 @@ grub_initrd_init (int argc, char *argv[],
+ initrd_ctx->nfiles++;
+ initrd_ctx->components[i].size
+ = grub_file_size (initrd_ctx->components[i].file);
+- initrd_ctx->size += initrd_ctx->components[i].size;
++ if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
++ &initrd_ctx->size))
++ goto overflow;
+ }
+
+ if (newc)
+ {
+ initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
+- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
+- + sizeof ("TRAILER!!!") - 1, 4);
++ if (grub_add (initrd_ctx->size,
++ ALIGN_UP (sizeof (struct newc_head)
++ + sizeof ("TRAILER!!!") - 1, 4),
++ &initrd_ctx->size))
++ goto overflow;
+ free_dir (root);
+ root = 0;
+ }
+
+ return GRUB_ERR_NONE;
++
++ overflow:
++ free_dir (root);
++ grub_initrd_close (initrd_ctx);
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ }
+
+ grub_size_t
+@@ -261,8 +287,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+
+ if (initrd_ctx->components[i].newc_name)
+ {
+- ptr += insert_dir (initrd_ctx->components[i].newc_name,
+- &root, ptr);
++ grub_size_t dir_size;
++
++ if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
++ &dir_size))
++ {
++ free_dir (root);
++ grub_initrd_close (initrd_ctx);
++ return grub_errno;
++ }
++ ptr += dir_size;
+ ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
+ grub_strlen (initrd_ctx->components[i].newc_name),
+ 0100777,
+--
+2.14.4
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25632.patch b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch
new file mode 100644
index 0000000000..0b37c72f0f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-25632.patch
@@ -0,0 +1,90 @@
+From 7630ec5397fe418276b360f9011934b8c034936c Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Tue, 29 Sep 2020 14:08:55 +0200
+Subject: [PATCH] dl: Only allow unloading modules that are not dependencies
+
+When a module is attempted to be removed its reference counter is always
+decremented. This means that repeated rmmod invocations will cause the
+module to be unloaded even if another module depends on it.
+
+This may lead to a use-after-free scenario allowing an attacker to execute
+arbitrary code and by-pass the UEFI Secure Boot protection.
+
+While being there, add the extern keyword to some function declarations in
+that header file.
+
+Fixes: CVE-2020-25632
+
+Reported-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7630ec5397fe418276b360f9011934b8c034936c]
+CVE: CVE-2020-25632
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/minicmd.c | 7 +++++--
+ grub-core/kern/dl.c | 9 +++++++++
+ include/grub/dl.h | 8 +++++---
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
+index 6bbce3128..fa498931e 100644
+--- a/grub-core/commands/minicmd.c
++++ b/grub-core/commands/minicmd.c
+@@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
+ if (grub_dl_is_persistent (mod))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");
+
+- if (grub_dl_unref (mod) <= 0)
+- grub_dl_unload (mod);
++ if (grub_dl_ref_count (mod) > 1)
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload referenced module");
++
++ grub_dl_unref (mod);
++ grub_dl_unload (mod);
+
+ return 0;
+ }
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index 48eb5e7b6..48f8a7907 100644
+--- a/grub-core/kern/dl.c
++++ b/grub-core/kern/dl.c
+@@ -549,6 +549,15 @@ grub_dl_unref (grub_dl_t mod)
+ return --mod->ref_count;
+ }
+
++int
++grub_dl_ref_count (grub_dl_t mod)
++{
++ if (mod == NULL)
++ return 0;
++
++ return mod->ref_count;
++}
++
+ static void
+ grub_dl_flush_cache (grub_dl_t mod)
+ {
+diff --git a/include/grub/dl.h b/include/grub/dl.h
+index f03c03561..b3753c9ca 100644
+--- a/include/grub/dl.h
++++ b/include/grub/dl.h
+@@ -203,9 +203,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
+ grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
+ grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
+ int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
+-void grub_dl_unload_unneeded (void);
+-int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
+-int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
++extern void grub_dl_unload_unneeded (void);
++extern int EXPORT_FUNC(grub_dl_ref) (grub_dl_t mod);
++extern int EXPORT_FUNC(grub_dl_unref) (grub_dl_t mod);
++extern int EXPORT_FUNC(grub_dl_ref_count) (grub_dl_t mod);
++
+ extern grub_dl_t EXPORT_VAR(grub_dl_head);
+
+ #ifndef GRUB_UTIL
+--
+2.33.0
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-25647.patch b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch
new file mode 100644
index 0000000000..cb77fd4772
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-25647.patch
@@ -0,0 +1,119 @@
+From 128c16a682034263eb519c89bc0934eeb6fa8cfa Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Fri, 11 Dec 2020 19:19:21 +0100
+Subject: [PATCH] usb: Avoid possible out-of-bound accesses caused by malicious
+ devices
+
+The maximum number of configurations and interfaces are fixed but there is
+no out-of-bound checking to prevent a malicious USB device to report large
+values for these and cause accesses outside the arrays' memory.
+
+Fixes: CVE-2020-25647
+
+Reported-by: Joseph Tartaro <joseph.tartaro@ioactive.com>
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=128c16a682034263eb519c89bc0934eeb6fa8cfa]
+CVE: CVE-2020-25647
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/bus/usb/usb.c | 15 ++++++++++++---
+ include/grub/usb.h | 10 +++++++---
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/bus/usb/usb.c b/grub-core/bus/usb/usb.c
+index 8da5e4c74..7cb3cc230 100644
+--- a/grub-core/bus/usb/usb.c
++++ b/grub-core/bus/usb/usb.c
+@@ -75,6 +75,9 @@ grub_usb_controller_iterate (grub_usb_controller_iterate_hook_t hook,
+ grub_usb_err_t
+ grub_usb_clear_halt (grub_usb_device_t dev, int endpoint)
+ {
++ if (endpoint >= GRUB_USB_MAX_TOGGLE)
++ return GRUB_USB_ERR_BADDEVICE;
++
+ dev->toggle[endpoint] = 0;
+ return grub_usb_control_msg (dev, (GRUB_USB_REQTYPE_OUT
+ | GRUB_USB_REQTYPE_STANDARD
+@@ -134,10 +137,10 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+ return err;
+ descdev = &dev->descdev;
+
+- for (i = 0; i < 8; i++)
++ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
+ dev->config[i].descconf = NULL;
+
+- if (descdev->configcnt == 0)
++ if (descdev->configcnt == 0 || descdev->configcnt > GRUB_USB_MAX_CONF)
+ {
+ err = GRUB_USB_ERR_BADDEVICE;
+ goto fail;
+@@ -172,6 +175,12 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+ /* Skip the configuration descriptor. */
+ pos = dev->config[i].descconf->length;
+
++ if (dev->config[i].descconf->numif > GRUB_USB_MAX_IF)
++ {
++ err = GRUB_USB_ERR_BADDEVICE;
++ goto fail;
++ }
++
+ /* Read all interfaces. */
+ for (currif = 0; currif < dev->config[i].descconf->numif; currif++)
+ {
+@@ -217,7 +226,7 @@ grub_usb_device_initialize (grub_usb_device_t dev)
+
+ fail:
+
+- for (i = 0; i < 8; i++)
++ for (i = 0; i < GRUB_USB_MAX_CONF; i++)
+ grub_free (dev->config[i].descconf);
+
+ return err;
+diff --git a/include/grub/usb.h b/include/grub/usb.h
+index 512ae1dd0..6475c552f 100644
+--- a/include/grub/usb.h
++++ b/include/grub/usb.h
+@@ -23,6 +23,10 @@
+ #include <grub/usbdesc.h>
+ #include <grub/usbtrans.h>
+
++#define GRUB_USB_MAX_CONF 8
++#define GRUB_USB_MAX_IF 32
++#define GRUB_USB_MAX_TOGGLE 256
++
+ typedef struct grub_usb_device *grub_usb_device_t;
+ typedef struct grub_usb_controller *grub_usb_controller_t;
+ typedef struct grub_usb_controller_dev *grub_usb_controller_dev_t;
+@@ -167,7 +171,7 @@ struct grub_usb_configuration
+ struct grub_usb_desc_config *descconf;
+
+ /* Interfaces associated to this configuration. */
+- struct grub_usb_interface interf[32];
++ struct grub_usb_interface interf[GRUB_USB_MAX_IF];
+ };
+
+ struct grub_usb_hub_port
+@@ -191,7 +195,7 @@ struct grub_usb_device
+ struct grub_usb_controller controller;
+
+ /* Device configurations (after opening the device). */
+- struct grub_usb_configuration config[8];
++ struct grub_usb_configuration config[GRUB_USB_MAX_CONF];
+
+ /* Device address. */
+ int addr;
+@@ -203,7 +207,7 @@ struct grub_usb_device
+ int initialized;
+
+ /* Data toggle values (used for bulk transfers only). */
+- int toggle[256];
++ int toggle[GRUB_USB_MAX_TOGGLE];
+
+ /* Used by libusb wrapper. Schedulded for removal. */
+ void *data;
+--
+2.33.0
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27749.patch b/meta/recipes-bsp/grub/files/CVE-2020-27749.patch
new file mode 100644
index 0000000000..a2566b2ded
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27749.patch
@@ -0,0 +1,609 @@
+From 4ea7bae51f97e49c84dc67ea30b466ca8633b9f6 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Thu, 7 Jan 2021 19:21:03 +0000
+Subject: kern/parser: Fix a stack buffer overflow
+
+grub_parser_split_cmdline() expands variable names present in the supplied
+command line in to their corresponding variable contents and uses a 1 kiB
+stack buffer for temporary storage without sufficient bounds checking. If
+the function is called with a command line that references a variable with
+a sufficiently large payload, it is possible to overflow the stack
+buffer via tab completion, corrupt the stack frame and potentially
+control execution.
+
+Fixes: CVE-2020-27749
+
+Reported-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=c6c426e5ab6ea715153b72584de6bd8c82f698ec && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=b1c9e9e889e4273fb15712051c887e6078511448 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=3d157bbd06506b170fde5ec23980c4bf9f7660e2 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=8bc817014ce3d7a498db44eae33c8b90e2430926 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=030fb6c4fa354cdbd6a8d6903dfed5d36eaf3cb2 && https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=4ea7bae51f97e49c84dc67ea30b466ca8633b9f6]
+CVE: CVE-2020-27749
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/Makefile.core.def | 1 +
+ grub-core/kern/buffer.c | 117 +++++++++++++++++++++
+ grub-core/kern/parser.c | 204 +++++++++++++++++++++++-------------
+ include/grub/buffer.h | 144 +++++++++++++++++++++++++
+ 4 files changed, 395 insertions(+), 71 deletions(-)
+ create mode 100644 grub-core/kern/buffer.c
+ create mode 100644 include/grub/buffer.h
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 651ea2a..823cd57 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -123,6 +123,7 @@ kernel = {
+ riscv32_efi_startup = kern/riscv/efi/startup.S;
+ riscv64_efi_startup = kern/riscv/efi/startup.S;
+
++ common = kern/buffer.c;
+ common = kern/command.c;
+ common = kern/corecmd.c;
+ common = kern/device.c;
+diff --git a/grub-core/kern/buffer.c b/grub-core/kern/buffer.c
+new file mode 100644
+index 0000000..9f5f8b8
+--- /dev/null
++++ b/grub-core/kern/buffer.c
+@@ -0,0 +1,117 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2021 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include <grub/buffer.h>
++#include <grub/err.h>
++#include <grub/misc.h>
++#include <grub/mm.h>
++#include <grub/safemath.h>
++#include <grub/types.h>
++
++grub_buffer_t
++grub_buffer_new (grub_size_t sz)
++{
++ struct grub_buffer *ret;
++
++ ret = (struct grub_buffer *) grub_malloc (sizeof (*ret));
++ if (ret == NULL)
++ return NULL;
++
++ ret->data = (grub_uint8_t *) grub_malloc (sz);
++ if (ret->data == NULL)
++ {
++ grub_free (ret);
++ return NULL;
++ }
++
++ ret->sz = sz;
++ ret->pos = 0;
++ ret->used = 0;
++
++ return ret;
++}
++
++void
++grub_buffer_free (grub_buffer_t buf)
++{
++ grub_free (buf->data);
++ grub_free (buf);
++}
++
++grub_err_t
++grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req)
++{
++ grub_uint8_t *d;
++ grub_size_t newsz = 1;
++
++ /* Is the current buffer size adequate? */
++ if (buf->sz >= req)
++ return GRUB_ERR_NONE;
++
++ /* Find the smallest power-of-2 size that satisfies the request. */
++ while (newsz < req)
++ {
++ if (newsz == 0)
++ return grub_error (GRUB_ERR_OUT_OF_RANGE,
++ N_("requested buffer size is too large"));
++ newsz <<= 1;
++ }
++
++ d = (grub_uint8_t *) grub_realloc (buf->data, newsz);
++ if (d == NULL)
++ return grub_errno;
++
++ buf->data = d;
++ buf->sz = newsz;
++
++ return GRUB_ERR_NONE;
++}
++
++void *
++grub_buffer_take_data (grub_buffer_t buf)
++{
++ void *data = buf->data;
++
++ buf->data = NULL;
++ buf->sz = buf->pos = buf->used = 0;
++
++ return data;
++}
++
++void
++grub_buffer_reset (grub_buffer_t buf)
++{
++ buf->pos = buf->used = 0;
++}
++
++grub_err_t
++grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n)
++{
++ grub_size_t newpos;
++
++ if (grub_add (buf->pos, n, &newpos))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++ if (newpos > buf->used)
++ return grub_error (GRUB_ERR_OUT_OF_RANGE,
++ N_("new read is position beyond the end of the written data"));
++
++ buf->pos = newpos;
++
++ return GRUB_ERR_NONE;
++}
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index d1cf061..6ab7aa4 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -1,7 +1,7 @@
+ /* parser.c - the part of the parser that can return partial tokens */
+ /*
+ * GRUB -- GRand Unified Bootloader
+- * Copyright (C) 2005,2007,2009 Free Software Foundation, Inc.
++ * Copyright (C) 2005,2007,2009,2021 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -18,6 +18,7 @@
+ */
+
+ #include <grub/parser.h>
++#include <grub/buffer.h>
+ #include <grub/env.h>
+ #include <grub/misc.h>
+ #include <grub/mm.h>
+@@ -107,8 +108,8 @@ check_varstate (grub_parser_state_t s)
+ }
+
+
+-static void
+-add_var (char *varname, char **bp, char **vp,
++static grub_err_t
++add_var (grub_buffer_t varname, grub_buffer_t buf,
+ grub_parser_state_t state, grub_parser_state_t newstate)
+ {
+ const char *val;
+@@ -116,17 +117,74 @@ add_var (char *varname, char **bp, char **vp,
+ /* Check if a variable was being read in and the end of the name
+ was reached. */
+ if (!(check_varstate (state) && !check_varstate (newstate)))
+- return;
++ return GRUB_ERR_NONE;
++
++ if (grub_buffer_append_char (varname, '\0') != GRUB_ERR_NONE)
++ return grub_errno;
+
+- *((*vp)++) = '\0';
+- val = grub_env_get (varname);
+- *vp = varname;
++ val = grub_env_get ((const char *) grub_buffer_peek_data (varname));
++ grub_buffer_reset (varname);
+ if (!val)
+- return;
++ return GRUB_ERR_NONE;
+
+ /* Insert the contents of the variable in the buffer. */
+- for (; *val; val++)
+- *((*bp)++) = *val;
++ return grub_buffer_append_data (buf, val, grub_strlen (val));
++}
++
++static grub_err_t
++terminate_arg (grub_buffer_t buffer, int *argc)
++{
++ grub_size_t unread = grub_buffer_get_unread_bytes (buffer);
++
++ if (unread == 0)
++ return GRUB_ERR_NONE;
++
++ if (*(const char *) grub_buffer_peek_data_at (buffer, unread - 1) == '\0')
++ return GRUB_ERR_NONE;
++
++ if (grub_buffer_append_char (buffer, '\0') != GRUB_ERR_NONE)
++ return grub_errno;
++
++ (*argc)++;
++
++ return GRUB_ERR_NONE;
++}
++
++static grub_err_t
++process_char (char c, grub_buffer_t buffer, grub_buffer_t varname,
++ grub_parser_state_t state, int *argc,
++ grub_parser_state_t *newstate)
++{
++ char use;
++
++ *newstate = grub_parser_cmdline_state (state, c, &use);
++
++ /*
++ * If a variable was being processed and this character does
++ * not describe the variable anymore, write the variable to
++ * the buffer.
++ */
++ if (add_var (varname, buffer, state, *newstate) != GRUB_ERR_NONE)
++ return grub_errno;
++
++ if (check_varstate (*newstate))
++ {
++ if (use)
++ return grub_buffer_append_char (varname, use);
++ }
++ else if (*newstate == GRUB_PARSER_STATE_TEXT &&
++ state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
++ {
++ /*
++ * Don't add more than one argument if multiple
++ * spaces are used.
++ */
++ return terminate_arg (buffer, argc);
++ }
++ else if (use)
++ return grub_buffer_append_char (buffer, use);
++
++ return GRUB_ERR_NONE;
+ }
+
+ grub_err_t
+@@ -135,24 +193,36 @@ grub_parser_split_cmdline (const char *cmdline,
+ int *argc, char ***argv)
+ {
+ grub_parser_state_t state = GRUB_PARSER_STATE_TEXT;
+- /* XXX: Fixed size buffer, perhaps this buffer should be dynamically
+- allocated. */
+- char buffer[1024];
+- char *bp = buffer;
++ grub_buffer_t buffer, varname;
+ char *rd = (char *) cmdline;
+- char varname[200];
+- char *vp = varname;
+- char *args;
++ char *rp = rd;
+ int i;
+
+ *argc = 0;
+ *argv = NULL;
++
++ buffer = grub_buffer_new (1024);
++ if (buffer == NULL)
++ return grub_errno;
++
++ varname = grub_buffer_new (200);
++ if (varname == NULL)
++ goto fail;
++
+ do
+ {
+- if (!rd || !*rd)
++ if (rp == NULL || *rp == '\0')
+ {
++ if (rd != cmdline)
++ {
++ grub_free (rd);
++ rd = rp = NULL;
++ }
+ if (getline)
+- getline (&rd, 1, getline_data);
++ {
++ getline (&rd, 1, getline_data);
++ rp = rd;
++ }
+ else
+ break;
+ }
+@@ -160,39 +230,14 @@ grub_parser_split_cmdline (const char *cmdline,
+ if (!rd)
+ break;
+
+- for (; *rd; rd++)
++ for (; *rp != '\0'; rp++)
+ {
+ grub_parser_state_t newstate;
+- char use;
+
+- newstate = grub_parser_cmdline_state (state, *rd, &use);
++ if (process_char (*rp, buffer, varname, state, argc,
++ &newstate) != GRUB_ERR_NONE)
++ goto fail;
+
+- /* If a variable was being processed and this character does
+- not describe the variable anymore, write the variable to
+- the buffer. */
+- add_var (varname, &bp, &vp, state, newstate);
+-
+- if (check_varstate (newstate))
+- {
+- if (use)
+- *(vp++) = use;
+- }
+- else
+- {
+- if (newstate == GRUB_PARSER_STATE_TEXT
+- && state != GRUB_PARSER_STATE_ESC && grub_isspace (use))
+- {
+- /* Don't add more than one argument if multiple
+- spaces are used. */
+- if (bp != buffer && *(bp - 1))
+- {
+- *(bp++) = '\0';
+- (*argc)++;
+- }
+- }
+- else if (use)
+- *(bp++) = use;
+- }
+ state = newstate;
+ }
+ }
+@@ -200,43 +245,60 @@ grub_parser_split_cmdline (const char *cmdline,
+
+ /* A special case for when the last character was part of a
+ variable. */
+- add_var (varname, &bp, &vp, state, GRUB_PARSER_STATE_TEXT);
++ if (add_var (varname, buffer, state, GRUB_PARSER_STATE_TEXT) != GRUB_ERR_NONE)
++ goto fail;
+
+- if (bp != buffer && *(bp - 1))
+- {
+- *(bp++) = '\0';
+- (*argc)++;
+- }
++ /* Ensure that the last argument is terminated. */
++ if (terminate_arg (buffer, argc) != GRUB_ERR_NONE)
++ goto fail;
+
+ /* If there are no args, then we're done. */
+ if (!*argc)
+- return 0;
+-
+- /* Reserve memory for the return values. */
+- args = grub_malloc (bp - buffer);
+- if (!args)
+- return grub_errno;
+- grub_memcpy (args, buffer, bp - buffer);
++ {
++ grub_errno = GRUB_ERR_NONE;
++ goto out;
++ }
+
+ *argv = grub_calloc (*argc + 1, sizeof (char *));
+ if (!*argv)
+- {
+- grub_free (args);
+- return grub_errno;
+- }
++ goto fail;
+
+ /* The arguments are separated with 0's, setup argv so it points to
+ the right values. */
+- bp = args;
+ for (i = 0; i < *argc; i++)
+ {
+- (*argv)[i] = bp;
+- while (*bp)
+- bp++;
+- bp++;
++ char *arg;
++
++ if (i > 0)
++ {
++ if (grub_buffer_advance_read_pos (buffer, 1) != GRUB_ERR_NONE)
++ goto fail;
++ }
++
++ arg = (char *) grub_buffer_peek_data (buffer);
++ if (arg == NULL ||
++ grub_buffer_advance_read_pos (buffer, grub_strlen (arg)) != GRUB_ERR_NONE)
++ goto fail;
++
++ (*argv)[i] = arg;
+ }
+
+- return 0;
++ /* Keep memory for the return values. */
++ grub_buffer_take_data (buffer);
++
++ grub_errno = GRUB_ERR_NONE;
++
++ out:
++ if (rd != cmdline)
++ grub_free (rd);
++ grub_buffer_free (buffer);
++ grub_buffer_free (varname);
++
++ return grub_errno;
++
++ fail:
++ grub_free (*argv);
++ goto out;
+ }
+
+ /* Helper for grub_parser_execute. */
+diff --git a/include/grub/buffer.h b/include/grub/buffer.h
+new file mode 100644
+index 0000000..f4b10cf
+--- /dev/null
++++ b/include/grub/buffer.h
+@@ -0,0 +1,144 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2021 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#ifndef GRUB_BUFFER_H
++#define GRUB_BUFFER_H 1
++
++#include <grub/err.h>
++#include <grub/misc.h>
++#include <grub/mm.h>
++#include <grub/safemath.h>
++#include <grub/types.h>
++
++struct grub_buffer
++{
++ grub_uint8_t *data;
++ grub_size_t sz;
++ grub_size_t pos;
++ grub_size_t used;
++};
++
++/*
++ * grub_buffer_t represents a simple variable sized byte buffer with
++ * read and write cursors. It currently only implements
++ * functionality required by the only user in GRUB (append byte[s],
++ * peeking data at a specified position and updating the read cursor.
++ * Some things that this doesn't do yet are:
++ * - Reading a portion of the buffer by copying data from the current
++ * read position in to a caller supplied destination buffer and then
++ * automatically updating the read cursor.
++ * - Dropping the read part at the start of the buffer when an append
++ * requires more space.
++ */
++typedef struct grub_buffer *grub_buffer_t;
++
++/* Allocate a new buffer with the specified initial size. */
++extern grub_buffer_t grub_buffer_new (grub_size_t sz);
++
++/* Free the buffer and its resources. */
++extern void grub_buffer_free (grub_buffer_t buf);
++
++/* Return the number of unread bytes in this buffer. */
++static inline grub_size_t
++grub_buffer_get_unread_bytes (grub_buffer_t buf)
++{
++ return buf->used - buf->pos;
++}
++
++/*
++ * Ensure that the buffer size is at least the requested
++ * number of bytes.
++ */
++extern grub_err_t grub_buffer_ensure_space (grub_buffer_t buf, grub_size_t req);
++
++/*
++ * Append the specified number of bytes from the supplied
++ * data to the buffer.
++ */
++static inline grub_err_t
++grub_buffer_append_data (grub_buffer_t buf, const void *data, grub_size_t len)
++{
++ grub_size_t req;
++
++ if (grub_add (buf->used, len, &req))
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++ if (grub_buffer_ensure_space (buf, req) != GRUB_ERR_NONE)
++ return grub_errno;
++
++ grub_memcpy (&buf->data[buf->used], data, len);
++ buf->used = req;
++
++ return GRUB_ERR_NONE;
++}
++
++/* Append the supplied character to the buffer. */
++static inline grub_err_t
++grub_buffer_append_char (grub_buffer_t buf, char c)
++{
++ return grub_buffer_append_data (buf, &c, 1);
++}
++
++/*
++ * Forget and return the underlying data buffer. The caller
++ * becomes the owner of this buffer, and must free it when it
++ * is no longer required.
++ */
++extern void *grub_buffer_take_data (grub_buffer_t buf);
++
++/* Reset this buffer. Note that this does not deallocate any resources. */
++void grub_buffer_reset (grub_buffer_t buf);
++
++/*
++ * Return a pointer to the underlying data buffer at the specified
++ * offset from the current read position. Note that this pointer may
++ * become invalid if the buffer is mutated further.
++ */
++static inline void *
++grub_buffer_peek_data_at (grub_buffer_t buf, grub_size_t off)
++{
++ if (grub_add (buf->pos, off, &off))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected."));
++ return NULL;
++ }
++
++ if (off >= buf->used)
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("peek out of range"));
++ return NULL;
++ }
++
++ return &buf->data[off];
++}
++
++/*
++ * Return a pointer to the underlying data buffer at the current
++ * read position. Note that this pointer may become invalid if the
++ * buffer is mutated further.
++ */
++static inline void *
++grub_buffer_peek_data (grub_buffer_t buf)
++{
++ return grub_buffer_peek_data_at (buf, 0);
++}
++
++/* Advance the read position by the specified number of bytes. */
++extern grub_err_t grub_buffer_advance_read_pos (grub_buffer_t buf, grub_size_t n);
++
++#endif /* GRUB_BUFFER_H */
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch
new file mode 100644
index 0000000000..c82423b8af
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch
@@ -0,0 +1,70 @@
+From 584263eca1546e5cab69ba6fe7b4b07df2630a21 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 14 Oct 2020 16:33:42 +0200
+Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown
+ is enforced
+
+The cutmem and badram commands can be used to remove EFI memory regions
+and potentially disable the UEFI Secure Boot. Prevent the commands to be
+registered if the GRUB is locked down.
+
+Fixes: CVE-2020-27779
+
+Reported-by: Teddy Reed <teddy.reed@gmail.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi | 4 ++++
+ grub-core/mmap/mmap.c | 13 +++++++------
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 47ac7ff..a1aaee6 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -4051,6 +4051,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns
+ that are often result of memory damage, due to physical distribution of memory
+ cells.
+
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++ This prevents removing EFI memory regions to potentially subvert the
++ security mechanisms provided by the UEFI secure boot.
++
+ @node blocklist
+ @subsection blocklist
+
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 57b4e9a..7ebf32e 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -20,6 +20,7 @@
+ #include <grub/memory.h>
+ #include <grub/machine/memory.h>
+ #include <grub/err.h>
++#include <grub/lockdown.h>
+ #include <grub/misc.h>
+ #include <grub/mm.h>
+ #include <grub/command.h>
+@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
+
+ GRUB_MOD_INIT(mmap)
+ {
+- cmd = grub_register_command ("badram", grub_cmd_badram,
+- N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
+- N_("Declare memory regions as faulty (badram)."));
+- cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
+- N_("FROM[K|M|G] TO[K|M|G]"),
+- N_("Remove any memory regions in specified range."));
++ cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
++ N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
++ N_("Declare memory regions as faulty (badram)."));
++ cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
++ N_("FROM[K|M|G] TO[K|M|G]"),
++ N_("Remove any memory regions in specified range."));
+
+ }
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch
new file mode 100644
index 0000000000..e33c96a05b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch
@@ -0,0 +1,105 @@
+From 4ff1dfdf8c4c71bf4b0dd0488d9fa40ff2617f41 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 09:00:05 +0100
+Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
+ when locked down
+
+There are some more commands that should be restricted when the GRUB is
+locked down. Following is the list of commands and reasons to restrict:
+
+ * fakebios: creates BIOS-like structures for backward compatibility with
+ existing OSes. This should not be allowed when locked down.
+
+ * loadbios: reads a BIOS dump from storage and loads it. This action
+ should not be allowed when locked down.
+
+ * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
+ any Device Tree provided by the firmware. This also should
+ not be allowed when locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=468a5699b249fe6816b4e7e86c5dc9d325c9b09e]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi | 3 +++
+ grub-core/commands/efi/loadbios.c | 16 ++++++++--------
+ grub-core/loader/arm/linux.c | 6 +++---
+ grub-core/loader/efi/fdt.c | 4 ++--
+ 4 files changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index a1aaee6..ccf1908 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -4236,6 +4236,9 @@ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
+ kernel. Does not perform merging with any device tree supplied by firmware,
+ but rather replaces it completely.
+ @ref{GNU/Linux}.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++ This is done to prevent subverting various security mechanisms.
+ @end deffn
+
+ @node distrust
+diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
+index d41d521..5c7725f 100644
+--- a/grub-core/commands/efi/loadbios.c
++++ b/grub-core/commands/efi/loadbios.c
+@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
+
+ GRUB_MOD_INIT(loadbios)
+ {
+- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
+- 0, N_("Create BIOS-like structures for"
+- " backward compatibility with"
+- " existing OS."));
+-
+- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
+- N_("BIOS_DUMP [INT10_DUMP]"),
+- N_("Load BIOS dump."));
++ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
++ 0, N_("Create BIOS-like structures for"
++ " backward compatibility with"
++ " existing OS."));
++
++ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
++ N_("BIOS_DUMP [INT10_DUMP]"),
++ N_("Load BIOS dump."));
+ }
+
+ GRUB_MOD_FINI(loadbios)
+diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
+index d70c174..ed23dc7 100644
+--- a/grub-core/loader/arm/linux.c
++++ b/grub-core/loader/arm/linux.c
+@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
+ 0, N_("Load Linux."));
+ cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
+ 0, N_("Load initrd."));
+- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
+- /* TRANSLATORS: DTB stands for device tree blob. */
+- 0, N_("Load DTB file."));
++ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
++ /* TRANSLATORS: DTB stands for device tree blob. */
++ 0, N_("Load DTB file."));
+ my_mod = mod;
+ current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
+ machine_type = grub_arm_firmware_get_machine_type ();
+diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
+index ee9c559..003d07c 100644
+--- a/grub-core/loader/efi/fdt.c
++++ b/grub-core/loader/efi/fdt.c
+@@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree;
+ GRUB_MOD_INIT (fdt)
+ {
+ cmd_devicetree =
+- grub_register_command ("devicetree", grub_cmd_devicetree, 0,
+- N_("Load DTB file."));
++ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
++ N_("Load DTB file."));
+ }
+
+ GRUB_MOD_FINI (fdt)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch
new file mode 100644
index 0000000000..f9a6a73ebc
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch
@@ -0,0 +1,37 @@
+From e4f5c16f76e137b3beb6b61a6d2435e54fcb495c Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 22:59:59 +0100
+Subject: [PATCH] commands/setpci: Restrict setpci command when locked down
+
+This command can set PCI devices register values, which makes it dangerous
+in a locked down configuration. Restrict it so can't be used on this setup.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=58b77d4069823b44c5fa916fa8ddfc9c4cd51e02]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/setpci.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c
+index d5bc97d..fa2ba7d 100644
+--- a/grub-core/commands/setpci.c
++++ b/grub-core/commands/setpci.c
+@@ -329,10 +329,10 @@ static grub_extcmd_t cmd;
+
+ GRUB_MOD_INIT(setpci)
+ {
+- cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0,
+- N_("[-s POSITION] [-d DEVICE] [-v VAR] "
+- "REGISTER[=VALUE[:MASK]]"),
+- N_("Manipulate PCI devices."), options);
++ cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0,
++ N_("[-s POSITION] [-d DEVICE] [-v VAR] "
++ "REGISTER[=VALUE[:MASK]]"),
++ N_("Manipulate PCI devices."), options);
+ }
+
+ GRUB_MOD_FINI(setpci)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch
new file mode 100644
index 0000000000..a756f8d1cf
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch
@@ -0,0 +1,35 @@
+From 7949671de268ba3116d113778e5d770574e9f9e3 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 12:59:29 +0100
+Subject: [PATCH] commands/hdparm: Restrict hdparm command when locked down
+
+The command can be used to get/set ATA disk parameters. Some of these can
+be dangerous since change the disk behavior. Restrict it when locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5c97492a29c6063567b65ed1a069f5e6f4e211f0]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/commands/hdparm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/commands/hdparm.c b/grub-core/commands/hdparm.c
+index d3fa966..2e2319e 100644
+--- a/grub-core/commands/hdparm.c
++++ b/grub-core/commands/hdparm.c
+@@ -436,9 +436,9 @@ static grub_extcmd_t cmd;
+
+ GRUB_MOD_INIT(hdparm)
+ {
+- cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0,
+- N_("[OPTIONS] DISK"),
+- N_("Get/set ATA disk parameters."), options);
++ cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0,
++ N_("[OPTIONS] DISK"),
++ N_("Get/set ATA disk parameters."), options);
+ }
+
+ GRUB_MOD_FINI(hdparm)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch
new file mode 100644
index 0000000000..b52273ff50
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch
@@ -0,0 +1,62 @@
+From 6993cce7c3a9d15e6573845f455d2f0de424a717 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 15:03:26 +0100
+Subject: [PATCH] gdb: Restrict GDB access when locked down
+
+The gdbstub* commands allow to start and control a GDB stub running on
+local host that can be used to connect from a remote debugger. Restrict
+this functionality when the GRUB is locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=508270838998f151a82e9c13e7cb8a470a2dc23d]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/gdb/gdb.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c
+index 847a1e1..1818cb6 100644
+--- a/grub-core/gdb/gdb.c
++++ b/grub-core/gdb/gdb.c
+@@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break;
+ GRUB_MOD_INIT (gdb)
+ {
+ grub_gdb_idtinit ();
+- cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub,
+- N_("PORT"),
+- /* TRANSLATORS: GDB stub is a small part of
+- GDB functionality running on local host
+- which allows remote debugger to
+- connect to it. */
+- N_("Start GDB stub on given port"));
+- cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break,
+- /* TRANSLATORS: this refers to triggering
+- a breakpoint so that the user will land
+- into GDB. */
+- 0, N_("Break into GDB"));
+- cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop,
+- 0, N_("Stop GDB stub"));
++ cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub,
++ N_("PORT"),
++ /*
++ * TRANSLATORS: GDB stub is a small part of
++ * GDB functionality running on local host
++ * which allows remote debugger to
++ * connect to it.
++ */
++ N_("Start GDB stub on given port"));
++ cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break,
++ /*
++ * TRANSLATORS: this refers to triggering
++ * a breakpoint so that the user will land
++ * into GDB.
++ */
++ 0, N_("Break into GDB"));
++ cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop,
++ 0, N_("Stop GDB stub"));
+ }
+
+ GRUB_MOD_FINI (gdb)
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch
new file mode 100644
index 0000000000..474826ade5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch
@@ -0,0 +1,61 @@
+From 73f214761cff76a18a2a867976bdd3a9adb00b67 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 14:44:38 +0100
+Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when
+ locked down
+
+The shim_lock verifier validates the XNU kernels but no its extensions
+and packages. Prevent these to be loaded when the GRUB is locked down.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c5565135f12400a925ee901b25984e7af4442f5]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/xnu.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 77d7060..07232d2 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -1482,20 +1482,23 @@ GRUB_MOD_INIT(xnu)
+ N_("Load XNU image."));
+ cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
+ 0, N_("Load 64-bit XNU image."));
+- cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0,
+- N_("Load XNU extension package."));
+- cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0,
+- N_("Load XNU extension."));
+- cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir,
+- /* TRANSLATORS: OSBundleRequired is a
+- variable name in xnu extensions
+- manifests. It behaves mostly like
+- GNU/Linux runlevels.
+- */
+- N_("DIRECTORY [OSBundleRequired]"),
+- /* TRANSLATORS: There are many extensions
+- in extension directory. */
+- N_("Load XNU extension directory."));
++ cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0,
++ N_("Load XNU extension package."));
++ cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0,
++ N_("Load XNU extension."));
++ cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir,
++ /*
++ * TRANSLATORS: OSBundleRequired is
++ * a variable name in xnu extensions
++ * manifests. It behaves mostly like
++ * GNU/Linux runlevels.
++ */
++ N_("DIRECTORY [OSBundleRequired]"),
++ /*
++ * TRANSLATORS: There are many extensions
++ * in extension directory.
++ */
++ N_("Load XNU extension directory."));
+ cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0,
+ /* TRANSLATORS: ramdisk here isn't identifier. It can be translated. */
+ N_("Load XNU ramdisk. "
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch
new file mode 100644
index 0000000000..e5d372a2b1
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch
@@ -0,0 +1,65 @@
+From dcc5a434e59f721b03cc809db0375a24aa2ac6d0 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Sat, 7 Nov 2020 01:03:18 +0100
+Subject: [PATCH] docs: Document the cutmem command
+
+The command is not present in the docs/grub.texi user documentation.
+
+Reported-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f05e79a0143beb2d9a482a3ebf4fe0ce76778122]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index ccf1908..ae85f55 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -3892,6 +3892,7 @@ you forget a command, you can run the command @command{help}
+ * cpuid:: Check for CPU features
+ * crc:: Compute or check CRC32 checksums
+ * cryptomount:: Mount a crypto device
++* cutmem:: Remove memory regions
+ * date:: Display or set current date and time
+ * devicetree:: Load a device tree blob
+ * distrust:: Remove a pubkey from trusted keys
+@@ -4051,6 +4052,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns
+ that are often result of memory damage, due to physical distribution of memory
+ cells.
+
++The command is similar to @command{cutmem} command.
++
+ Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+ This prevents removing EFI memory regions to potentially subvert the
+ security mechanisms provided by the UEFI secure boot.
+@@ -4214,6 +4217,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules
+ be used.
+ @end deffn
+
++@node cutmem
++@subsection cutmem
++
++@deffn Command cutmem from[K|M|G] to[K|M|G]
++Remove any memory regions in specified range.
++@end deffn
++
++This command notifies the memory manager that specified regions of RAM ought to
++be filtered out. This remains in effect after a payload kernel has been loaded
++by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels
++that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot
++kernels in general.
++
++The command is similar to @command{badram} command.
++
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++ This prevents removing EFI memory regions to potentially subvert the
++ security mechanisms provided by the UEFI secure boot.
+
+ @node date
+ @subsection date
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20225.patch b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
new file mode 100644
index 0000000000..b864febe62
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-20225.patch
@@ -0,0 +1,58 @@
+From 2a330dba93ff11bc00eda76e9419bc52b0c7ead6 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 16:07:29 +1100
+Subject: lib/arg: Block repeated short options that require an argument
+
+Fuzzing found the following crash:
+
+ search -hhhhhhhhhhhhhf
+
+We didn't allocate enough option space for 13 hints because the
+allocation code counts the number of discrete arguments (i.e. argc).
+However, the shortopt parsing code will happily keep processing
+a combination of short options without checking if those short
+options require an argument. This means you can easily end writing
+past the allocated option space.
+
+This fixes a OOB write which can cause heap corruption.
+
+Fixes: CVE-2021-20225
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2a330dba93ff11bc00eda76e9419bc52b0c7ead6]
+CVE: CVE-2021-20225
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/lib/arg.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
+index 3288609..537c5e9 100644
+--- a/grub-core/lib/arg.c
++++ b/grub-core/lib/arg.c
+@@ -299,6 +299,19 @@ grub_arg_parse (grub_extcmd_t cmd, int argc, char **argv,
+ it can have an argument value. */
+ if (*curshort)
+ {
++ /*
++ * Only permit further short opts if this one doesn't
++ * require a value.
++ */
++ if (opt->type != ARG_TYPE_NONE &&
++ !(opt->flags & GRUB_ARG_OPTION_OPTIONAL))
++ {
++ grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("missing mandatory option for `%s'"),
++ opt->longarg);
++ goto fail;
++ }
++
+ if (parse_option (cmd, opt, 0, usr) || grub_errno)
+ goto fail;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-20233.patch b/meta/recipes-bsp/grub/files/CVE-2021-20233.patch
new file mode 100644
index 0000000000..d2069afc18
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-20233.patch
@@ -0,0 +1,50 @@
+From 2f533a89a8dfcacbf2c9dbc77d910f111f24bf33 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 22 Jan 2021 17:10:48 +1100
+Subject: commands/menuentry: Fix quoting in setparams_prefix()
+
+Commit 9acdcbf32542 (use single quotes in menuentry setparams command)
+says that expressing a quoted single quote will require 3 characters. It
+actually requires (and always did require!) 4 characters:
+
+ str: a'b => a'\''b
+ len: 3 => 6 (2 for the letters + 4 for the quote)
+
+This leads to not allocating enough memory and thus out of bounds writes
+that have been observed to cause heap corruption.
+
+Allocate 4 bytes for each single quote.
+
+Commit 22e7dbb2bb81 (Fix quoting in legacy parser.) does the same
+quoting, but it adds 3 as extra overhead on top of the single byte that
+the quote already needs. So it's correct.
+
+Fixes: 9acdcbf32542 (use single quotes in menuentry setparams command)
+Fixes: CVE-2021-20233
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?h=grub-2.06&id=2f533a89a8dfcacbf2c9dbc77d910f111f24bf33]
+CVE: CVE-2021-20233
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/menuentry.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
+index 9164df7..720e6d8 100644
+--- a/grub-core/commands/menuentry.c
++++ b/grub-core/commands/menuentry.c
+@@ -230,7 +230,7 @@ setparams_prefix (int argc, char **args)
+ len += 3; /* 3 = 1 space + 2 quotes */
+ p = args[i];
+ while (*p)
+- len += (*p++ == '\'' ? 3 : 1);
++ len += (*p++ == '\'' ? 4 : 1);
+ }
+
+ result = grub_malloc (len + 2);
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
new file mode 100644
index 0000000000..7d6e805725
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch
@@ -0,0 +1,178 @@
+From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 20 Jul 2022 10:01:35 +0530
+Subject: [PATCH] CVE-2021-3695
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08]
+CVE: CVE-2021-3695
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+ video/readers/png: Drop greyscale support to fix heap out-of-bounds write
+
+A 16-bit greyscale PNG without alpha is processed in the following loop:
+
+ for (i = 0; i < (data->image_width * data->image_height);
+ i++, d1 += 4, d2 += 2)
+{
+ d1[R3] = d2[1];
+ d1[G3] = d2[1];
+ d1[B3] = d2[1];
+}
+
+The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
+but there are only 3 bytes allocated for storage. This means that image
+data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
+out of every 4 following the end of the image.
+
+This has existed since greyscale support was added in 2013 in commit
+3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
+
+Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
+and attempting to load it causes grub-emu to crash - I don't think this code
+has ever worked.
+
+Delete all PNG greyscale support.
+
+Fixes: CVE-2021-3695
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/png.c | 89 ++++-------------------------------
+ 1 file changed, 8 insertions(+), 81 deletions(-)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 0157ff7..db4a9d4 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -100,7 +100,7 @@ struct grub_png_data
+
+ unsigned image_width, image_height;
+ int bpp, is_16bit;
+- int raw_bytes, is_gray, is_alpha, is_palette;
++ int raw_bytes, is_alpha, is_palette;
+ int row_bytes, color_bits;
+ grub_uint8_t *image_data;
+
+@@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ data->bpp = 3;
+ else
+ {
+- data->is_gray = 1;
+- data->bpp = 1;
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "png: color type not supported");
+ }
+
+ if ((color_bits != 8) && (color_bits != 16)
+ && (color_bits != 4
+- || !(data->is_gray || data->is_palette)))
++ || !data->is_palette))
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "png: bit depth must be 8 or 16");
+
+@@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
+ }
+
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+- if (data->is_16bit || data->is_gray || data->is_palette)
++ if (data->is_16bit || data->is_palette)
+ #endif
+ {
+ data->image_data = grub_calloc (data->image_height, data->row_bytes);
+@@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data)
+ int shift;
+ int mask = (1 << data->color_bits) - 1;
+ unsigned j;
+- if (data->is_gray)
+- {
+- /* Generic formula is
+- (0xff * i) / ((1U << data->color_bits) - 1)
+- but for allowed bit depth of 1, 2 and for it's
+- equivalent to
+- (0xff / ((1U << data->color_bits) - 1)) * i
+- Precompute the multipliers to avoid division.
+- */
+-
+- const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
+- for (i = 0; i < (1U << data->color_bits); i++)
+- {
+- grub_uint8_t col = multipliers[data->color_bits] * i;
+- palette[i][0] = col;
+- palette[i][1] = col;
+- palette[i][2] = col;
+- }
+- }
+- else
+- grub_memcpy (palette, data->palette, 3 << data->color_bits);
++
++ grub_memcpy (palette, data->palette, 3 << data->color_bits);
+ d1c = d1;
+ d2c = d2;
+ for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
+@@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data)
+ return;
+ }
+
+- if (data->is_gray)
+- {
+- switch (data->bpp)
+- {
+- case 4:
+- /* 16-bit gray with alpha. */
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 4, d2 += 4)
+- {
+- d1[R4] = d2[3];
+- d1[G4] = d2[3];
+- d1[B4] = d2[3];
+- d1[A4] = d2[1];
+- }
+- break;
+- case 2:
+- if (data->is_16bit)
+- /* 16-bit gray without alpha. */
+- {
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 4, d2 += 2)
+- {
+- d1[R3] = d2[1];
+- d1[G3] = d2[1];
+- d1[B3] = d2[1];
+- }
+- }
+- else
+- /* 8-bit gray with alpha. */
+- {
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 4, d2 += 2)
+- {
+- d1[R4] = d2[1];
+- d1[G4] = d2[1];
+- d1[B4] = d2[1];
+- d1[A4] = d2[0];
+- }
+- }
+- break;
+- /* 8-bit gray without alpha. */
+- case 1:
+- for (i = 0; i < (data->image_width * data->image_height);
+- i++, d1 += 3, d2++)
+- {
+- d1[R3] = d2[0];
+- d1[G3] = d2[0];
+- d1[B3] = d2[0];
+- }
+- break;
+- }
+- return;
+- }
+-
+- {
++ {
+ /* Only copy the upper 8 bit. */
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+ for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1);
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch
new file mode 100644
index 0000000000..ef6da945c4
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch
@@ -0,0 +1,46 @@
+From b18ce59d6496a9313d75f9497a0efac61dcf4191 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 20 Jul 2022 10:05:42 +0530
+Subject: [PATCH] CVE-2021-3696
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042]
+CVE: CVE-2021-3696
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+video/readers/png: Avoid heap OOB R/W inserting huff table items
+
+In fuzzing we observed crashes where a code would attempt to be inserted
+into a huffman table before the start, leading to a set of heap OOB reads
+and writes as table entries with negative indices were shifted around and
+the new code written in.
+
+Catch the case where we would underflow the array and bail.
+
+Fixes: CVE-2021-3696
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/png.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 36b3f10..3c05951 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -416,6 +416,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len)
+ for (i = len; i < ht->max_length; i++)
+ n += ht->maxval[i];
+
++ if (n > ht->num_values)
++ {
++ grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "png: out of range inserting huffman table item");
++ return;
++ }
++
+ for (i = 0; i < n; i++)
+ ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1];
+
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch
new file mode 100644
index 0000000000..be15e7d1f2
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch
@@ -0,0 +1,82 @@
+From 4de9de9d14f4ac27229e45514627534e32cc4406 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 19 Jul 2022 11:13:02 +0530
+Subject: [PATCH] CVE-2021-3697
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6]
+CVE: CVE-2021-3697
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+video/readers/jpeg: Block int underflow -> wild pointer write
+
+Certain 1 px wide images caused a wild pointer write in
+grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
+we have the following loop:
+
+for (; data->r1 < nr1 && (!data->dri || rst);
+ data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
+
+We did not check if vb * width >= hb * nc1.
+
+On a 64-bit platform, if that turns out to be negative, it will underflow,
+be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
+we see data->bitmap_ptr jump, e.g.:
+
+0x6180_0000_0480 to
+0x6181_0000_0498
+ ^
+ ~--- carry has occurred and this pointer is now far away from
+ any object.
+
+On a 32-bit platform, it will decrement the pointer, creating a pointer
+that won't crash but will overwrite random data.
+
+Catch the underflow and error out.
+
+Fixes: CVE-2021-3697
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/video/readers/jpeg.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 31359a4..545a60b 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/bufio.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -617,6 +618,7 @@ static grub_err_t
+ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ {
+ unsigned c1, vb, hb, nr1, nc1;
++ unsigned stride_a, stride_b, stride;
+ int rst = data->dri;
+
+ vb = 8 << data->log_vs;
+@@ -624,8 +626,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data)
+ nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs);
+ nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs);
+
++ if (grub_mul(vb, data->image_width, &stride_a) ||
++ grub_mul(hb, nc1, &stride_b) ||
++ grub_sub(stride_a, stride_b, &stride))
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ "jpeg: cannot decode image with these dimensions");
++
+ for (; data->r1 < nr1 && (!data->dri || rst);
+- data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
++ data->r1++, data->bitmap_ptr += stride * 3)
+ for (c1 = 0; c1 < nc1 && (!data->dri || rst);
+ c1++, rst--, data->bitmap_ptr += hb * 3)
+ {
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
new file mode 100644
index 0000000000..e27027ea65
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3981.patch
@@ -0,0 +1,32 @@
+From 67740c43c9326956ea5cd6be77f813b5499a56a5 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 27 Jun 2022 10:15:29 +0530
+Subject: [PATCH] CVE-2021-3981
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/diff/util/grub-mkconfig.in?id=0adec29674561034771c13e446069b41ef41e4d4]
+CVE: CVE-2021-3981
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ util/grub-mkconfig.in | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index 9f477ff..ead94a6 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -287,7 +287,11 @@ and /etc/grub.d/* files or please file a bug report with
+ exit 1
+ else
+ # none of the children aborted with error, install the new grub.cfg
+- mv -f ${grub_cfg}.new ${grub_cfg}
++ oldumask=$(umask)
++ umask 077
++ cat ${grub_cfg}.new > ${grub_cfg}
++ umask $oldumask
++ rm -f ${grub_cfg}.new
+ fi
+ fi
+
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
new file mode 100644
index 0000000000..090f693be3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-2601.patch
@@ -0,0 +1,87 @@
+From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 01:58:27 +0800
+Subject: [PATCH] font: Fix several integer overflows in
+ grub_font_construct_glyph()
+
+This patch fixes several integer overflows in grub_font_construct_glyph().
+Glyphs of invalid size, zero or leading to an overflow, are rejected.
+The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
+returns NULL is fixed too.
+
+Fixes: CVE-2022-2601
+
+Reported-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e]
+CVE: CVE-2022-2601
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index df17dba..f110db9 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1509,6 +1509,7 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+ struct grub_video_signed_rect bounds;
+ static struct grub_font_glyph *glyph = 0;
+ static grub_size_t max_glyph_size = 0;
++ grub_size_t cur_glyph_size;
+
+ ensure_comb_space (glyph_id);
+
+@@ -1525,29 +1526,33 @@ grub_font_construct_glyph (grub_font_t hinted_font,
+ if (!glyph_id->ncomb && !glyph_id->attributes)
+ return main_glyph;
+
+- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT)
++ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) ||
++ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size))
++ return main_glyph;
++
++ if (max_glyph_size < cur_glyph_size)
+ {
+ grub_free (glyph);
+- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;
+- if (max_glyph_size < 8)
+- max_glyph_size = 8;
+- glyph = grub_malloc (max_glyph_size);
++ if (grub_mul (cur_glyph_size, 2, &max_glyph_size))
++ max_glyph_size = 0;
++ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL;
+ }
+ if (!glyph)
+ {
++ max_glyph_size = 0;
+ grub_errno = GRUB_ERR_NONE;
+ return main_glyph;
+ }
+
+- grub_memset (glyph, 0, sizeof (*glyph)
+- + (bounds.width * bounds.height
+- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT);
++ grub_memset (glyph, 0, cur_glyph_size);
+
+ glyph->font = main_glyph->font;
+- glyph->width = bounds.width;
+- glyph->height = bounds.height;
+- glyph->offset_x = bounds.x;
+- glyph->offset_y = bounds.y;
++ if (bounds.width == 0 || bounds.height == 0 ||
++ grub_cast (bounds.width, &glyph->width) ||
++ grub_cast (bounds.height, &glyph->height) ||
++ grub_cast (bounds.x, &glyph->offset_x) ||
++ grub_cast (bounds.y, &glyph->offset_y))
++ return main_glyph;
+
+ if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR)
+ grub_font_blit_glyph_mirror (glyph, main_glyph,
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28733.patch b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch
new file mode 100644
index 0000000000..6cfdf20e2d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28733.patch
@@ -0,0 +1,60 @@
+From 415fb5eb83cbd3b5cfc25ac1290f2de4fe3d231c Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 1 Aug 2022 10:48:34 +0530
+Subject: [PATCH] CVE-2022-28733
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3e4817538de828319ba6d59ced2fbb9b5ca13287]
+CVE: CVE-2022-28733
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+net/ip: Do IP fragment maths safely
+
+We can receive packets with invalid IP fragmentation information. This
+can lead to rsm->total_len underflowing and becoming very large.
+
+Then, in grub_netbuff_alloc(), we add to this very large number, which can
+cause it to overflow and wrap back around to a small positive number.
+The allocation then succeeds, but the resulting buffer is too small and
+subsequent operations can write past the end of the buffer.
+
+Catch the underflow here.
+
+Fixes: CVE-2022-28733
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/ip.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/net/ip.c b/grub-core/net/ip.c
+index ea5edf8..74e4e8b 100644
+--- a/grub-core/net/ip.c
++++ b/grub-core/net/ip.c
+@@ -25,6 +25,7 @@
+ #include <grub/net/netbuff.h>
+ #include <grub/mm.h>
+ #include <grub/priority_queue.h>
++#include <grub/safemath.h>
+ #include <grub/time.h>
+
+ struct iphdr {
+@@ -512,7 +513,14 @@ grub_net_recv_ip4_packets (struct grub_net_buff *nb,
+ {
+ rsm->total_len = (8 * (grub_be_to_cpu16 (iph->frags) & OFFSET_MASK)
+ + (nb->tail - nb->data));
+- rsm->total_len -= ((iph->verhdrlen & 0xf) * sizeof (grub_uint32_t));
++
++ if (grub_sub (rsm->total_len, (iph->verhdrlen & 0xf) * sizeof (grub_uint32_t),
++ &rsm->total_len))
++ {
++ grub_dprintf ("net", "IP reassembly size underflow\n");
++ return GRUB_ERR_NONE;
++ }
++
+ rsm->asm_netbuff = grub_netbuff_alloc (rsm->total_len);
+ if (!rsm->asm_netbuff)
+ {
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28734.patch b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch
new file mode 100644
index 0000000000..577ec10bea
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28734.patch
@@ -0,0 +1,67 @@
+From f03f09c2a07eae7f3a4646e33a406ae2689afb9e Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 1 Aug 2022 10:59:41 +0530
+Subject: [PATCH] CVE-2022-28734
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=b26b4c08e7119281ff30d0fb4a6169bd2afa8fe4]
+CVE: CVE-2022-28734
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+net/http: Fix OOB write for split http headers
+
+GRUB has special code for handling an http header that is split
+across two packets.
+
+The code tracks the end of line by looking for a "\n" byte. The
+code for split headers has always advanced the pointer just past the
+end of the line, whereas the code that handles unsplit headers does
+not advance the pointer. This extra advance causes the length to be
+one greater, which breaks an assumption in parse_line(), leading to
+it writing a NUL byte one byte past the end of the buffer where we
+reconstruct the line from the two packets.
+
+It's conceivable that an attacker controlled set of packets could
+cause this to zero out the first byte of the "next" pointer of the
+grub_mm_region structure following the current_line buffer.
+
+Do not advance the pointer in the split header case.
+
+Fixes: CVE-2022-28734
+---
+ grub-core/net/http.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/net/http.c b/grub-core/net/http.c
+index 5aa4ad3..a220d21 100644
+--- a/grub-core/net/http.c
++++ b/grub-core/net/http.c
+@@ -68,7 +68,15 @@ parse_line (grub_file_t file, http_data_t data, char *ptr, grub_size_t len)
+ char *end = ptr + len;
+ while (end > ptr && *(end - 1) == '\r')
+ end--;
++
++ /* LF without CR. */
++ if (end == ptr + len)
++ {
++ data->errmsg = grub_strdup (_("invalid HTTP header - LF without CR"));
++ return GRUB_ERR_NONE;
++ }
+ *end = 0;
++
+ /* Trailing CRLF. */
+ if (data->in_chunk_len == 1)
+ {
+@@ -190,9 +198,7 @@ http_receive (grub_net_tcp_socket_t sock __attribute__ ((unused)),
+ int have_line = 1;
+ char *t;
+ ptr = grub_memchr (nb->data, '\n', nb->tail - nb->data);
+- if (ptr)
+- ptr++;
+- else
++ if (ptr == NULL)
+ {
+ have_line = 0;
+ ptr = (char *) nb->tail;
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28735.patch b/meta/recipes-bsp/grub/files/CVE-2022-28735.patch
new file mode 100644
index 0000000000..89b653a8da
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28735.patch
@@ -0,0 +1,271 @@
+From 6fe755c5c07bb386fda58306bfd19e4a1c974c53 Mon Sep 17 00:00:00 2001
+From: Julian Andres Klode <julian.klode@canonical.com>
+Date: Thu, 2 Dec 2021 15:03:53 +0100
+Subject: kern/efi/sb: Reject non-kernel files in the shim_lock verifier
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=6fe755c5c07bb386fda58306bfd19e4a1c974c53]
+CVE: CVE-2022-28735
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+We must not allow other verifiers to pass things like the GRUB modules.
+Instead of maintaining a blocklist, maintain an allowlist of things
+that we do not care about.
+
+This allowlist really should be made reusable, and shared by the
+lockdown verifier, but this is the minimal patch addressing
+security concerns where the TPM verifier was able to mark modules
+as verified (or the OpenPGP verifier for that matter), when it
+should not do so on shim-powered secure boot systems.
+
+Fixes: CVE-2022-28735
+
+Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/efi/sb.c | 221 ++++++++++++++++++++++++++++++++++++++++
+ include/grub/verify.h | 1 +
+ 2 files changed, 222 insertions(+)
+ create mode 100644 grub-core/kern/efi/sb.c
+
+diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
+new file mode 100644
+index 0000000..89c4bb3
+--- /dev/null
++++ b/grub-core/kern/efi/sb.c
+@@ -0,0 +1,221 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2020 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ *
++ * UEFI Secure Boot related checkings.
++ */
++
++#include <grub/efi/efi.h>
++#include <grub/efi/pe32.h>
++#include <grub/efi/sb.h>
++#include <grub/env.h>
++#include <grub/err.h>
++#include <grub/file.h>
++#include <grub/i386/linux.h>
++#include <grub/kernel.h>
++#include <grub/mm.h>
++#include <grub/types.h>
++#include <grub/verify.h>
++
++static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
++
++/*
++ * Determine whether we're in secure boot mode.
++ *
++ * Please keep the logic in sync with the Linux kernel,
++ * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot().
++ */
++grub_uint8_t
++grub_efi_get_secureboot (void)
++{
++ static grub_efi_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
++ grub_efi_status_t status;
++ grub_efi_uint32_t attr = 0;
++ grub_size_t size = 0;
++ grub_uint8_t *secboot = NULL;
++ grub_uint8_t *setupmode = NULL;
++ grub_uint8_t *moksbstate = NULL;
++ grub_uint8_t secureboot = GRUB_EFI_SECUREBOOT_MODE_UNKNOWN;
++ const char *secureboot_str = "UNKNOWN";
++
++ status = grub_efi_get_variable ("SecureBoot", &efi_variable_guid,
++ &size, (void **) &secboot);
++
++ if (status == GRUB_EFI_NOT_FOUND)
++ {
++ secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
++ goto out;
++ }
++
++ if (status != GRUB_EFI_SUCCESS)
++ goto out;
++
++ status = grub_efi_get_variable ("SetupMode", &efi_variable_guid,
++ &size, (void **) &setupmode);
++
++ if (status != GRUB_EFI_SUCCESS)
++ goto out;
++
++ if ((*secboot == 0) || (*setupmode == 1))
++ {
++ secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
++ goto out;
++ }
++
++ /*
++ * See if a user has put the shim into insecure mode. If so, and if the
++ * variable doesn't have the runtime attribute set, we might as well
++ * honor that.
++ */
++ status = grub_efi_get_variable_with_attributes ("MokSBState", &shim_lock_guid,
++ &size, (void **) &moksbstate, &attr);
++
++ /* If it fails, we don't care why. Default to secure. */
++ if (status != GRUB_EFI_SUCCESS)
++ {
++ secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED;
++ goto out;
++ }
++
++ if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1)
++ {
++ secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
++ goto out;
++ }
++
++ secureboot = GRUB_EFI_SECUREBOOT_MODE_ENABLED;
++
++ out:
++ grub_free (moksbstate);
++ grub_free (setupmode);
++ grub_free (secboot);
++
++ if (secureboot == GRUB_EFI_SECUREBOOT_MODE_DISABLED)
++ secureboot_str = "Disabled";
++ else if (secureboot == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
++ secureboot_str = "Enabled";
++
++ grub_dprintf ("efi", "UEFI Secure Boot state: %s\n", secureboot_str);
++
++ return secureboot;
++}
++
++static grub_err_t
++shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
++ enum grub_file_type type,
++ void **context __attribute__ ((unused)),
++ enum grub_verify_flags *flags)
++{
++ *flags = GRUB_VERIFY_FLAGS_NONE;
++
++ switch (type & GRUB_FILE_TYPE_MASK)
++ {
++ /* Files we check. */
++ case GRUB_FILE_TYPE_LINUX_KERNEL:
++ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
++ case GRUB_FILE_TYPE_BSD_KERNEL:
++ case GRUB_FILE_TYPE_XNU_KERNEL:
++ case GRUB_FILE_TYPE_PLAN9_KERNEL:
++ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
++ *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
++ return GRUB_ERR_NONE;
++
++ /* Files that do not affect secureboot state. */
++ case GRUB_FILE_TYPE_NONE:
++ case GRUB_FILE_TYPE_LOOPBACK:
++ case GRUB_FILE_TYPE_LINUX_INITRD:
++ case GRUB_FILE_TYPE_OPENBSD_RAMDISK:
++ case GRUB_FILE_TYPE_XNU_RAMDISK:
++ case GRUB_FILE_TYPE_SIGNATURE:
++ case GRUB_FILE_TYPE_PUBLIC_KEY:
++ case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST:
++ case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
++ case GRUB_FILE_TYPE_TESTLOAD:
++ case GRUB_FILE_TYPE_GET_SIZE:
++ case GRUB_FILE_TYPE_FONT:
++ case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
++ case GRUB_FILE_TYPE_CAT:
++ case GRUB_FILE_TYPE_HEXCAT:
++ case GRUB_FILE_TYPE_CMP:
++ case GRUB_FILE_TYPE_HASHLIST:
++ case GRUB_FILE_TYPE_TO_HASH:
++ case GRUB_FILE_TYPE_KEYBOARD_LAYOUT:
++ case GRUB_FILE_TYPE_PIXMAP:
++ case GRUB_FILE_TYPE_GRUB_MODULE_LIST:
++ case GRUB_FILE_TYPE_CONFIG:
++ case GRUB_FILE_TYPE_THEME:
++ case GRUB_FILE_TYPE_GETTEXT_CATALOG:
++ case GRUB_FILE_TYPE_FS_SEARCH:
++ case GRUB_FILE_TYPE_LOADENV:
++ case GRUB_FILE_TYPE_SAVEENV:
++ case GRUB_FILE_TYPE_VERIFY_SIGNATURE:
++ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
++ return GRUB_ERR_NONE;
++
++ /* Other files. */
++ default:
++ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy"));
++ }
++}
++
++static grub_err_t
++shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
++{
++ grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
++
++ if (!sl)
++ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found"));
++
++ if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
++ return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
++
++ return GRUB_ERR_NONE;
++}
++
++struct grub_file_verifier shim_lock_verifier =
++ {
++ .name = "shim_lock_verifier",
++ .init = shim_lock_verifier_init,
++ .write = shim_lock_verifier_write
++ };
++
++void
++grub_shim_lock_verifier_setup (void)
++{
++ struct grub_module_header *header;
++ grub_efi_shim_lock_protocol_t *sl =
++ grub_efi_locate_protocol (&shim_lock_guid, 0);
++
++ /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */
++ if (!sl)
++ {
++ FOR_MODULES (header)
++ {
++ if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
++ return;
++ }
++ }
++
++ /* Secure Boot is off. Do not load shim_lock. */
++ if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
++ return;
++
++ /* Enforce shim_lock_verifier. */
++ grub_verifier_register (&shim_lock_verifier);
++
++ grub_env_set ("shim_lock", "y");
++ grub_env_export ("shim_lock");
++}
+diff --git a/include/grub/verify.h b/include/grub/verify.h
+index cd129c3..672ae16 100644
+--- a/include/grub/verify.h
++++ b/include/grub/verify.h
+@@ -24,6 +24,7 @@
+
+ enum grub_verify_flags
+ {
++ GRUB_VERIFY_FLAGS_NONE = 0,
+ GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1,
+ GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2,
+ /* Defer verification to another authority. */
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-28736.patch b/meta/recipes-bsp/grub/files/CVE-2022-28736.patch
new file mode 100644
index 0000000000..4fc9fdaf05
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-28736.patch
@@ -0,0 +1,275 @@
+From 431a111c60095fc973d83fe9209f26f29ce78784 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 1 Aug 2022 11:17:17 +0530
+Subject: [PATCH] CVE-2022-28736
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=04c86e0bb7b58fc2f913f798cdb18934933e532d]
+CVE: CVE-2022-28736
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+loader/efi/chainloader: Use grub_loader_set_ex()
+
+This ports the EFI chainloader to use grub_loader_set_ex() in order to fix
+a use-after-free bug that occurs when grub_cmd_chainloader() is executed
+more than once before a boot attempt is performed.
+
+Fixes: CVE-2022-28736
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/commands/boot.c | 66 ++++++++++++++++++++++++++----
+ grub-core/loader/efi/chainloader.c | 46 +++++++++++----------
+ include/grub/loader.h | 5 +++
+ 3 files changed, 87 insertions(+), 30 deletions(-)
+
+diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
+index bbca81e..6151478 100644
+--- a/grub-core/commands/boot.c
++++ b/grub-core/commands/boot.c
+@@ -27,10 +27,20 @@
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+-static grub_err_t (*grub_loader_boot_func) (void);
+-static grub_err_t (*grub_loader_unload_func) (void);
++static grub_err_t (*grub_loader_boot_func) (void *context);
++static grub_err_t (*grub_loader_unload_func) (void *context);
++static void *grub_loader_context;
+ static int grub_loader_flags;
+
++struct grub_simple_loader_hooks
++{
++ grub_err_t (*boot) (void);
++ grub_err_t (*unload) (void);
++};
++
++/* Don't heap allocate this to avoid making grub_loader_set() fallible. */
++static struct grub_simple_loader_hooks simple_loader_hooks;
++
+ struct grub_preboot
+ {
+ grub_err_t (*preboot_func) (int);
+@@ -44,6 +54,29 @@ static int grub_loader_loaded;
+ static struct grub_preboot *preboots_head = 0,
+ *preboots_tail = 0;
+
++static grub_err_t
++grub_simple_boot_hook (void *context)
++{
++ struct grub_simple_loader_hooks *hooks;
++
++ hooks = (struct grub_simple_loader_hooks *) context;
++ return hooks->boot ();
++}
++
++static grub_err_t
++grub_simple_unload_hook (void *context)
++{
++ struct grub_simple_loader_hooks *hooks;
++ grub_err_t ret;
++
++ hooks = (struct grub_simple_loader_hooks *) context;
++
++ ret = hooks->unload ();
++ grub_memset (hooks, 0, sizeof (*hooks));
++
++ return ret;
++}
++
+ int
+ grub_loader_is_loaded (void)
+ {
+@@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd)
+ }
+
+ void
+-grub_loader_set (grub_err_t (*boot) (void),
+- grub_err_t (*unload) (void),
+- int flags)
++grub_loader_set_ex (grub_err_t (*boot) (void *context),
++ grub_err_t (*unload) (void *context),
++ void *context,
++ int flags)
+ {
+ if (grub_loader_loaded && grub_loader_unload_func)
+- grub_loader_unload_func ();
++ grub_loader_unload_func (grub_loader_context);
+
+ grub_loader_boot_func = boot;
+ grub_loader_unload_func = unload;
++ grub_loader_context = context;
+ grub_loader_flags = flags;
+
+ grub_loader_loaded = 1;
+ }
+
++void
++grub_loader_set (grub_err_t (*boot) (void),
++ grub_err_t (*unload) (void),
++ int flags)
++{
++ grub_loader_set_ex (grub_simple_boot_hook,
++ grub_simple_unload_hook,
++ &simple_loader_hooks,
++ flags);
++
++ simple_loader_hooks.boot = boot;
++ simple_loader_hooks.unload = unload;
++}
++
+ void
+ grub_loader_unset(void)
+ {
+ if (grub_loader_loaded && grub_loader_unload_func)
+- grub_loader_unload_func ();
++ grub_loader_unload_func (grub_loader_context);
+
+ grub_loader_boot_func = 0;
+ grub_loader_unload_func = 0;
++ grub_loader_context = 0;
+
+ grub_loader_loaded = 0;
+ }
+@@ -158,7 +208,7 @@ grub_loader_boot (void)
+ return err;
+ }
+ }
+- err = (grub_loader_boot_func) ();
++ err = (grub_loader_boot_func) (grub_loader_context);
+
+ for (cur = preboots_tail; cur; cur = cur->prev)
+ if (! err)
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index a8d7b91..93a028a 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -44,33 +44,28 @@ GRUB_MOD_LICENSE ("GPLv3+");
+
+ static grub_dl_t my_mod;
+
+-static grub_efi_physical_address_t address;
+-static grub_efi_uintn_t pages;
+-static grub_efi_device_path_t *file_path;
+-static grub_efi_handle_t image_handle;
+-static grub_efi_char16_t *cmdline;
+-
+ static grub_err_t
+-grub_chainloader_unload (void)
++grub_chainloader_unload (void *context)
+ {
++ grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
++ grub_efi_loaded_image_t *loaded_image;
+ grub_efi_boot_services_t *b;
+
++ loaded_image = grub_efi_get_loaded_image (image_handle);
++ if (loaded_image != NULL)
++ grub_free (loaded_image->load_options);
++
+ b = grub_efi_system_table->boot_services;
+ efi_call_1 (b->unload_image, image_handle);
+- efi_call_2 (b->free_pages, address, pages);
+-
+- grub_free (file_path);
+- grub_free (cmdline);
+- cmdline = 0;
+- file_path = 0;
+
+ grub_dl_unref (my_mod);
+ return GRUB_ERR_NONE;
+ }
+
+ static grub_err_t
+-grub_chainloader_boot (void)
++grub_chainloader_boot (void *context)
+ {
++ grub_efi_handle_t image_handle = (grub_efi_handle_t) context;
+ grub_efi_boot_services_t *b;
+ grub_efi_status_t status;
+ grub_efi_uintn_t exit_data_size;
+@@ -139,7 +134,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
+ char *dir_start;
+ char *dir_end;
+ grub_size_t size;
+- grub_efi_device_path_t *d;
++ grub_efi_device_path_t *d, *file_path;
+
+ dir_start = grub_strchr (filename, ')');
+ if (! dir_start)
+@@ -215,11 +210,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ grub_efi_status_t status;
+ grub_efi_boot_services_t *b;
+ grub_device_t dev = 0;
+- grub_efi_device_path_t *dp = 0;
++ grub_efi_device_path_t *dp = NULL, *file_path = NULL;
+ grub_efi_loaded_image_t *loaded_image;
+ char *filename;
+ void *boot_image = 0;
+ grub_efi_handle_t dev_handle = 0;
++ grub_efi_physical_address_t address = 0;
++ grub_efi_uintn_t pages = 0;
++ grub_efi_char16_t *cmdline = NULL;
++ grub_efi_handle_t image_handle = NULL;
+
+ if (argc == 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+@@ -227,11 +226,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+
+ grub_dl_ref (my_mod);
+
+- /* Initialize some global variables. */
+- address = 0;
+- image_handle = 0;
+- file_path = 0;
+-
+ b = grub_efi_system_table->boot_services;
+
+ file = grub_file_open (filename, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE);
+@@ -401,7 +395,11 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ grub_file_close (file);
+ grub_device_close (dev);
+
+- grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0);
++ /* We're finished with the source image buffer and file path now. */
++ efi_call_2 (b->free_pages, address, pages);
++ grub_free (file_path);
++
++ grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0);
+ return 0;
+
+ fail:
+@@ -412,11 +410,15 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ if (file)
+ grub_file_close (file);
+
++ grub_free (cmdline);
+ grub_free (file_path);
+
+ if (address)
+ efi_call_2 (b->free_pages, address, pages);
+
++ if (image_handle != NULL)
++ efi_call_1 (b->unload_image, image_handle);
++
+ grub_dl_unref (my_mod);
+
+ return grub_errno;
+diff --git a/include/grub/loader.h b/include/grub/loader.h
+index 7f82a49..3071a50 100644
+--- a/include/grub/loader.h
++++ b/include/grub/loader.h
+@@ -39,6 +39,11 @@ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
+ grub_err_t (*unload) (void),
+ int flags);
+
++void EXPORT_FUNC (grub_loader_set_ex) (grub_err_t (*boot) (void *context),
++ grub_err_t (*unload) (void *context),
++ void *context,
++ int flags);
++
+ /* Unset current loader, if any. */
+ void EXPORT_FUNC (grub_loader_unset) (void);
+
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
new file mode 100644
index 0000000000..e2e3f35584
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2022-3775.patch
@@ -0,0 +1,97 @@
+From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Mon, 24 Oct 2022 08:05:35 +0800
+Subject: [PATCH] font: Fix an integer underflow in blit_comb()
+
+The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
+evaluate to a very big invalid value even if both ctx.bounds.height and
+combining_glyphs[i]->height are small integers. For example, if
+ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
+expression evaluates to 2147483647 (expected -1). This is because
+coordinates are allowed to be negative but ctx.bounds.height is an
+unsigned int. So, the subtraction operates on unsigned ints and
+underflows to a very big value. The division makes things even worse.
+The quotient is still an invalid value even if converted back to int.
+
+This patch fixes the problem by casting ctx.bounds.height to int. As
+a result the subtraction will operate on int and grub_uint16_t which
+will be promoted to an int. So, the underflow will no longer happen. Other
+uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
+to ensure coordinates are always calculated on signed integers.
+
+Fixes: CVE-2022-3775
+
+Reported-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af]
+CVE: CVE-2022-3775
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index f110db9..3b76b22 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -1200,12 +1200,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ ctx.bounds.height = main_glyph->height;
+
+ above_rightx = main_glyph->offset_x + main_glyph->width;
+- above_righty = ctx.bounds.y + ctx.bounds.height;
++ above_righty = ctx.bounds.y + (int) ctx.bounds.height;
+
+ above_leftx = main_glyph->offset_x;
+- above_lefty = ctx.bounds.y + ctx.bounds.height;
++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height;
+
+- below_rightx = ctx.bounds.x + ctx.bounds.width;
++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width;
+ below_righty = ctx.bounds.y;
+
+ comb = grub_unicode_get_comb (glyph_id);
+@@ -1218,7 +1218,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ if (!combining_glyphs[i])
+ continue;
+- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x;
+ /* CGJ is to avoid diacritics reordering. */
+ if (comb[i].code
+ == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER)
+@@ -1228,8 +1228,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ case GRUB_UNICODE_COMB_OVERLAY:
+ do_blit (combining_glyphs[i],
+ targetx,
+- (ctx.bounds.height - combining_glyphs[i]->height) / 2
+- - (ctx.bounds.height + ctx.bounds.y), &ctx);
++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2
++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+ break;
+@@ -1302,7 +1302,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+ /* Fallthrough. */
+ case GRUB_UNICODE_STACK_ATTACHED_ABOVE:
+ do_blit (combining_glyphs[i], targetx,
+- -(ctx.bounds.height + ctx.bounds.y + space
++ -((int) ctx.bounds.height + ctx.bounds.y + space
+ + combining_glyphs[i]->height), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+@@ -1310,7 +1310,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id,
+
+ case GRUB_UNICODE_COMB_HEBREW_DAGESH:
+ do_blit (combining_glyphs[i], targetx,
+- -(ctx.bounds.height / 2 + ctx.bounds.y
++ -((int) ctx.bounds.height / 2 + ctx.bounds.y
+ + combining_glyphs[i]->height / 2), &ctx);
+ if (min_devwidth < combining_glyphs[i]->width)
+ min_devwidth = combining_glyphs[i]->width;
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4692.patch b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
new file mode 100644
index 0000000000..0e74870ebf
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4692.patch
@@ -0,0 +1,97 @@
+From 43651027d24e62a7a463254165e1e46e42aecdea Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:31:57 +0300
+Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST
+ attribute for the $MFT file
+
+When parsing an extremely fragmented $MFT file, i.e., the file described
+using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
+containing bytes read from the underlying drive to store sector numbers,
+which are consumed later to read data from these sectors into another buffer.
+
+These sectors numbers, two 32-bit integers, are always stored at predefined
+offsets, 0x10 and 0x14, relative to first byte of the selected entry within
+the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
+
+However, when parsing a specially-crafted file system image, this may cause
+the NTFS code to write these integers beyond the buffer boundary, likely
+causing the GRUB memory allocator to misbehave or fail. These integers contain
+values which are controlled by on-disk structures of the NTFS file system.
+
+Such modification and resulting misbehavior may touch a memory range not
+assigned to the GRUB and owned by firmware or another EFI application/driver.
+
+This fix introduces checks to ensure that these sector numbers are never
+written beyond the boundary.
+
+Fixes: CVE-2023-4692
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=43651027d24e62a7a463254165e1e46e42aecdea]
+CVE: CVE-2023-4692
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/ntfs.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 2f34f76..c8d3683 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ }
+ if (at->attr_end)
+ {
+- grub_uint8_t *pa;
++ grub_uint8_t *pa, *pa_end;
+
+ at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+ if (at->emft_buf == NULL)
+@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ }
+ at->attr_nxt = at->edat_buf;
+ at->attr_end = at->edat_buf + u32at (pa, 0x30);
++ pa_end = at->edat_buf + n;
+ }
+ else
+ {
+ at->attr_nxt = at->attr_end + u16at (pa, 0x14);
+ at->attr_end = at->attr_end + u32at (pa, 4);
++ pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+ }
+ at->flags |= GRUB_NTFS_AF_ALST;
+ while (at->attr_nxt < at->attr_end)
+@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ at->flags |= GRUB_NTFS_AF_GPOS;
+ at->attr_cur = at->attr_nxt;
+ pa = at->attr_cur;
++
++ if ((pa >= pa_end) || (pa_end - pa < 0x18))
++ {
++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++ return NULL;
++ }
++
+ grub_set_unaligned32 ((char *) pa + 0x10,
+ grub_cpu_to_le32 (at->mft->data->mft_start));
+ grub_set_unaligned32 ((char *) pa + 0x14,
+@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ {
+ if (*pa != attr)
+ break;
++
++ if ((pa >= pa_end) || (pa_end - pa < 0x18))
++ {
++ grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++ return NULL;
++ }
++
+ if (read_attr
+ (at, pa + 0x10,
+ u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
new file mode 100644
index 0000000000..1e6b6efdec
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,62 @@
+From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:32:33 +0300
+Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident
+ $DATA attribute
+
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+
+Fixes: CVE-2023-4693
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
+CVE: CVE-2023-4693
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/ntfs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index c8d3683..4d1fe42 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+ {
+ if (ofs + len > u32at (pa, 0x10))
+ return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+- grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
++
++ if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
++
++ if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++ if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++ (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
++ return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++ grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+ return 0;
+ }
+
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch b/meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch
new file mode 100644
index 0000000000..c9536e68ef
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/calloc-Make-sure-we-always-have-an-overflow-checking.patch
@@ -0,0 +1,246 @@
+From c005f62f5c4b26a77b916c8f76a852324439ecb3 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 12:15:29 -0400
+Subject: [PATCH 2/9] calloc: Make sure we always have an overflow-checking
+ calloc() available
+
+This tries to make sure that everywhere in this source tree, we always have
+an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
+available, and that they all safely check for overflow and return NULL when
+it would occur.
+
+Upstream-Status: Backport [commit 64e26162ebfe68317c143ca5ec996c892019f8f8
+from https://git.savannah.gnu.org/git/grub.git]
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/kern/emu/misc.c | 12 ++++++++++++
+ grub-core/kern/emu/mm.c | 10 ++++++++++
+ grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++++++++++
+ grub-core/lib/libgcrypt_wrap/mem.c | 11 +++++++++--
+ grub-core/lib/posix_wrap/stdlib.h | 8 +++++++-
+ include/grub/emu/misc.h | 1 +
+ include/grub/mm.h | 6 ++++++
+ 7 files changed, 85 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
+index 65db79b..dfd8a8e 100644
+--- a/grub-core/kern/emu/misc.c
++++ b/grub-core/kern/emu/misc.c
+@@ -85,6 +85,18 @@ grub_util_error (const char *fmt, ...)
+ exit (1);
+ }
+
++void *
++xcalloc (grub_size_t nmemb, grub_size_t size)
++{
++ void *p;
++
++ p = calloc (nmemb, size);
++ if (!p)
++ grub_util_error ("%s", _("out of memory"));
++
++ return p;
++}
++
+ void *
+ xmalloc (grub_size_t size)
+ {
+diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c
+index f262e95..145b01d 100644
+--- a/grub-core/kern/emu/mm.c
++++ b/grub-core/kern/emu/mm.c
+@@ -25,6 +25,16 @@
+ #include <string.h>
+ #include <grub/i18n.h>
+
++void *
++grub_calloc (grub_size_t nmemb, grub_size_t size)
++{
++ void *ret;
++ ret = calloc (nmemb, size);
++ if (!ret)
++ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
++ return ret;
++}
++
+ void *
+ grub_malloc (grub_size_t size)
+ {
+diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c
+index ee88ff6..f2822a8 100644
+--- a/grub-core/kern/mm.c
++++ b/grub-core/kern/mm.c
+@@ -67,8 +67,10 @@
+ #include <grub/dl.h>
+ #include <grub/i18n.h>
+ #include <grub/mm_private.h>
++#include <grub/safemath.h>
+
+ #ifdef MM_DEBUG
++# undef grub_calloc
+ # undef grub_malloc
+ # undef grub_zalloc
+ # undef grub_realloc
+@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_size_t size)
+ return 0;
+ }
+
++/*
++ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on
++ * integer overflow.
++ */
++void *
++grub_calloc (grub_size_t nmemb, grub_size_t size)
++{
++ void *ret;
++ grub_size_t sz = 0;
++
++ if (grub_mul (nmemb, size, &sz))
++ {
++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++ return NULL;
++ }
++
++ ret = grub_memalign (0, sz);
++ if (!ret)
++ return NULL;
++
++ grub_memset (ret, 0, sz);
++ return ret;
++}
++
+ /* Allocate SIZE bytes and return the pointer. */
+ void *
+ grub_malloc (grub_size_t size)
+@@ -561,6 +587,20 @@ grub_mm_dump (unsigned lineno)
+ grub_printf ("\n");
+ }
+
++void *
++grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size)
++{
++ void *ptr;
++
++ if (grub_mm_debug)
++ grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
++ file, line, size);
++ ptr = grub_calloc (nmemb, size);
++ if (grub_mm_debug)
++ grub_printf ("%p\n", ptr);
++ return ptr;
++}
++
+ void *
+ grub_debug_malloc (const char *file, int line, grub_size_t size)
+ {
+diff --git a/grub-core/lib/libgcrypt_wrap/mem.c b/grub-core/lib/libgcrypt_wrap/mem.c
+index beeb661..74c6eaf 100644
+--- a/grub-core/lib/libgcrypt_wrap/mem.c
++++ b/grub-core/lib/libgcrypt_wrap/mem.c
+@@ -4,6 +4,7 @@
+ #include <grub/crypto.h>
+ #include <grub/dl.h>
+ #include <grub/env.h>
++#include <grub/safemath.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -36,7 +37,10 @@ void *
+ gcry_xcalloc (size_t n, size_t m)
+ {
+ void *ret;
+- ret = grub_zalloc (n * m);
++ size_t sz;
++ if (grub_mul (n, m, &sz))
++ grub_fatal ("gcry_xcalloc would overflow");
++ ret = grub_zalloc (sz);
+ if (!ret)
+ grub_fatal ("gcry_xcalloc failed");
+ return ret;
+@@ -56,7 +60,10 @@ void *
+ gcry_xcalloc_secure (size_t n, size_t m)
+ {
+ void *ret;
+- ret = grub_zalloc (n * m);
++ size_t sz;
++ if (grub_mul (n, m, &sz))
++ grub_fatal ("gcry_xcalloc would overflow");
++ ret = grub_zalloc (sz);
+ if (!ret)
+ grub_fatal ("gcry_xcalloc failed");
+ return ret;
+diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h
+index 3b46f47..7a8d385 100644
+--- a/grub-core/lib/posix_wrap/stdlib.h
++++ b/grub-core/lib/posix_wrap/stdlib.h
+@@ -21,6 +21,7 @@
+
+ #include <grub/mm.h>
+ #include <grub/misc.h>
++#include <grub/safemath.h>
+
+ static inline void
+ free (void *ptr)
+@@ -37,7 +38,12 @@ malloc (grub_size_t size)
+ static inline void *
+ calloc (grub_size_t size, grub_size_t nelem)
+ {
+- return grub_zalloc (size * nelem);
++ grub_size_t sz;
++
++ if (grub_mul (size, nelem, &sz))
++ return NULL;
++
++ return grub_zalloc (sz);
+ }
+
+ static inline void *
+diff --git a/include/grub/emu/misc.h b/include/grub/emu/misc.h
+index ce464cf..ff9c48a 100644
+--- a/include/grub/emu/misc.h
++++ b/include/grub/emu/misc.h
+@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *dev);
+ #define GRUB_HOST_PRIuLONG_LONG "llu"
+ #define GRUB_HOST_PRIxLONG_LONG "llx"
+
++void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT;
+ void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT;
+ void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT;
+ char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT;
+diff --git a/include/grub/mm.h b/include/grub/mm.h
+index 28e2e53..9c38dd3 100644
+--- a/include/grub/mm.h
++++ b/include/grub/mm.h
+@@ -29,6 +29,7 @@
+ #endif
+
+ void grub_mm_init_region (void *addr, grub_size_t size);
++void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size);
+ void *EXPORT_FUNC(grub_malloc) (grub_size_t size);
+ void *EXPORT_FUNC(grub_zalloc) (grub_size_t size);
+ void EXPORT_FUNC(grub_free) (void *ptr);
+@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug);
+ void grub_mm_dump_free (void);
+ void grub_mm_dump (unsigned lineno);
+
++#define grub_calloc(nmemb, size) \
++ grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size)
++
+ #define grub_malloc(size) \
+ grub_debug_malloc (GRUB_FILE, __LINE__, size)
+
+@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno);
+ #define grub_free(ptr) \
+ grub_debug_free (GRUB_FILE, __LINE__, ptr)
+
++void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line,
++ grub_size_t nmemb, grub_size_t size);
+ void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
+ grub_size_t size);
+ void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
+--
+2.14.4
+
diff --git a/meta/recipes-bsp/grub/files/determinism.patch b/meta/recipes-bsp/grub/files/determinism.patch
new file mode 100644
index 0000000000..bd4e7188ec
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/determinism.patch
@@ -0,0 +1,56 @@
+The output in moddep.lst generated from syminfo.lst using genmoddep.awk is
+not deterministic since the order of the dependencies on each line can vary
+depending on how awk sorts the values in the array.
+
+Be deterministic in the output by sorting the dependencies on each line.
+
+Also, the output of the SOURCES lines in grub-core/Makefile.core.am, generated
+from grub-core/Makefile.core.def with gentpl.py is not deterministic due to
+missing sorting of the list used to generate it. Add such a sort.
+
+Also ensure the generated unidata.c file is deterministic by sorting the
+keys of the dict.
+
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/grub-devel/2023-06/index.html]
+Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: grub-2.04/grub-core/genmoddep.awk
+===================================================================
+--- grub-2.04.orig/grub-core/genmoddep.awk
++++ grub-2.04/grub-core/genmoddep.awk
+@@ -59,7 +59,9 @@ END {
+ }
+ modlist = ""
+ depcount[mod] = 0
+- for (depmod in uniqmods) {
++ n = asorti(uniqmods, w)
++ for (i = 1; i <= n; i++) {
++ depmod = w[i]
+ modlist = modlist " " depmod;
+ inverse_dependencies[depmod] = inverse_dependencies[depmod] " " mod
+ depcount[mod]++
+Index: grub-2.04/gentpl.py
+===================================================================
+--- grub-2.04.orig/gentpl.py
++++ grub-2.04/gentpl.py
+@@ -568,6 +568,7 @@ def foreach_platform_value(defn, platfor
+ for group in RMAP[platform]:
+ for value in defn.find_all(group + suffix):
+ r.append(closure(value))
++ r.sort()
+ return ''.join(r)
+
+ def platform_conditional(platform, closure):
+Index: grub-2.04/util/import_unicode.py
+===================================================================
+--- grub-2.04.orig/util/import_unicode.py
++++ grub-2.04/util/import_unicode.py
+@@ -174,7 +174,7 @@ infile.close ()
+
+ outfile.write ("struct grub_unicode_arabic_shape grub_unicode_arabic_shapes[] = {\n ")
+
+-for x in arabicsubst:
++for x in sorted(arabicsubst):
+ try:
+ if arabicsubst[x]['join'] == "DUAL":
+ outfile.write ("{0x%x, 0x%x, 0x%x, 0x%x, 0x%x},\n " % (arabicsubst[x][0], arabicsubst[x][1], arabicsubst[x][2], arabicsubst[x][3], arabicsubst[x][4]))
diff --git a/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
new file mode 100644
index 0000000000..d4ba3cafc5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
@@ -0,0 +1,117 @@
+From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001
+From: Zhang Boyang <zhangboyang.id@gmail.com>
+Date: Fri, 5 Aug 2022 00:51:20 +0800
+Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal()
+
+The length of memory allocation and file read may overflow. This patch
+fixes the problem by using safemath macros.
+
+There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
+if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
+It is safe replacement for such code. It has safemath-like prototype.
+
+This patch also introduces grub_cast(value, pointer), it casts value to
+typeof(*pointer) then store the value to *pointer. It returns true when
+overflow occurs or false if there is no overflow. The semantics of arguments
+and return value are designed to be consistent with other safemath macros.
+
+Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532]
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/font/font.c | 17 +++++++++++++----
+ include/grub/bitmap.h | 18 ++++++++++++++++++
+ include/grub/safemath.h | 2 ++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 5edb477..df17dba 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -733,7 +733,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ grub_int16_t xoff;
+ grub_int16_t yoff;
+ grub_int16_t dwidth;
+- int len;
++ grub_ssize_t len;
++ grub_size_t sz;
+
+ if (index_entry->glyph)
+ /* Return cached glyph. */
+@@ -760,9 +761,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code)
+ return 0;
+ }
+
+- len = (width * height + 7) / 8;
+- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len);
+- if (!glyph)
++ /* Calculate real struct size of current glyph. */
++ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) ||
++ grub_add (sizeof (struct grub_font_glyph), len, &sz))
++ {
++ remove_font (font);
++ return 0;
++ }
++
++ /* Allocate and initialize the glyph struct. */
++ glyph = grub_malloc (sz);
++ if (glyph == NULL)
+ {
+ remove_font (font);
+ return 0;
+diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h
+index 5728f8c..0d9603f 100644
+--- a/include/grub/bitmap.h
++++ b/include/grub/bitmap.h
+@@ -23,6 +23,7 @@
+ #include <grub/symbol.h>
+ #include <grub/types.h>
+ #include <grub/video.h>
++#include <grub/safemath.h>
+
+ struct grub_video_bitmap
+ {
+@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap)
+ return bitmap->mode_info.height;
+ }
+
++/*
++ * Calculate and store the size of data buffer of 1bit bitmap in result.
++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs.
++ * Return true when overflow occurs or false if there is no overflow.
++ * This function is intentionally implemented as a macro instead of
++ * an inline function. Although a bit awkward, it preserves data types for
++ * safemath macros and reduces macro side effects as much as possible.
++ *
++ * XXX: Will report false overflow if width * height > UINT64_MAX.
++ */
++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \
++({ \
++ grub_uint64_t _bitmap_pixels; \
++ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \
++ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \
++})
++
+ void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap,
+ struct grub_video_mode_info *mode_info);
+
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+index c17b89b..bb0f826 100644
+--- a/include/grub/safemath.h
++++ b/include/grub/safemath.h
+@@ -30,6 +30,8 @@
+ #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
+ #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
+
++#define grub_cast(a, res) grub_add ((a), 0, (res))
++
+ #else
+ #error gcc 5.1 or newer or clang 3.8 or newer is required
+ #endif
+--
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch b/meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch
new file mode 100644
index 0000000000..2b8157f592
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/lvm-Add-LVM-cache-logical-volume-handling.patch
@@ -0,0 +1,287 @@
+From 8eb02bcb5897b238b29ff762402bb0c3028f0eab Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Thu, 19 Mar 2020 13:56:13 +0800
+Subject: [PATCH 3/9] lvm: Add LVM cache logical volume handling
+
+The LVM cache logical volume is the logical volume consisting of the original
+and the cache pool logical volume. The original is usually on a larger and
+slower storage device while the cache pool is on a smaller and faster one. The
+performance of the original volume can be improved by storing the frequently
+used data on the cache pool to utilize the greater performance of faster
+device.
+
+The default cache mode "writethrough" ensures that any data written will be
+stored both in the cache and on the origin LV, therefore grub can be straight
+to read the original lv as no data loss is guarenteed.
+
+The second cache mode is "writeback", which delays writing from the cache pool
+back to the origin LV to have increased performance. The drawback is potential
+data loss if losing the associated cache device.
+
+During the boot time grub reads the LVM offline i.e. LVM volumes are not
+activated and mounted, hence it should be fine to read directly from original
+lv since all cached data should have been flushed back in the process of taking
+it offline.
+
+It is also not much helpful to the situation by adding fsync calls to the
+install code. The fsync did not force to write back dirty cache to the original
+device and rather it would update associated cache metadata to complete the
+write transaction with the cache device. IOW the writes to cached blocks still
+go only to the cache device.
+
+To write back dirty cache, as LVM cache did not support dirty cache flush per
+block range, there'no way to do it for file. On the other hand the "cleaner"
+policy is implemented and can be used to write back "all" dirty blocks in a
+cache, which effectively drain all dirty cache gradually to attain and last in
+the "clean" state, which can be useful for shrinking or decommissioning a
+cache. The result and effect is not what we are looking for here.
+
+In conclusion, as it seems no way to enforce file writes to the original
+device, grub may suffer from power failure as it cannot assemble the cache
+device and read the dirty data from it. However since the case is only
+applicable to writeback mode which is sensitive to data lost in nature, I'd
+still like to propose my (relatively simple) patch and treat reading dirty
+cache as improvement.
+
+Upstream-Status: Backport [commit 0454b0445393aafc5600e92ef0c39494e333b135
+from https://git.savannah.gnu.org/git/grub.git]
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/disk/lvm.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 190 insertions(+)
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index 7b265c7..dc6b83b 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -33,6 +33,14 @@
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
++struct cache_lv
++{
++ struct grub_diskfilter_lv *lv;
++ char *cache_pool;
++ char *origin;
++ struct cache_lv *next;
++};
++
+
+ /* Go the string STR and return the number after STR. *P will point
+ at the number. In case STR is not found, *P will be NULL and the
+@@ -95,6 +103,34 @@ grub_lvm_check_flag (char *p, const char *str, const char *flag)
+ }
+ }
+
++static void
++grub_lvm_free_cache_lvs (struct cache_lv *cache_lvs)
++{
++ struct cache_lv *cache;
++
++ while ((cache = cache_lvs))
++ {
++ cache_lvs = cache_lvs->next;
++
++ if (cache->lv)
++ {
++ unsigned int i;
++
++ for (i = 0; i < cache->lv->segment_count; ++i)
++ if (cache->lv->segments)
++ grub_free (cache->lv->segments[i].nodes);
++ grub_free (cache->lv->segments);
++ grub_free (cache->lv->fullname);
++ grub_free (cache->lv->idname);
++ grub_free (cache->lv->name);
++ }
++ grub_free (cache->lv);
++ grub_free (cache->origin);
++ grub_free (cache->cache_pool);
++ grub_free (cache);
++ }
++}
++
+ static struct grub_diskfilter_vg *
+ grub_lvm_detect (grub_disk_t disk,
+ struct grub_diskfilter_pv_id *id,
+@@ -242,6 +278,8 @@ grub_lvm_detect (grub_disk_t disk,
+
+ if (! vg)
+ {
++ struct cache_lv *cache_lvs = NULL;
++
+ /* First time we see this volume group. We've to create the
+ whole volume group structure. */
+ vg = grub_malloc (sizeof (*vg));
+@@ -671,6 +709,106 @@ grub_lvm_detect (grub_disk_t disk,
+ seg->nodes[seg->node_count - 1].name = tmp;
+ }
+ }
++ else if (grub_memcmp (p, "cache\"",
++ sizeof ("cache\"") - 1) == 0)
++ {
++ struct cache_lv *cache = NULL;
++
++ char *p2, *p3;
++ grub_size_t sz;
++
++ cache = grub_zalloc (sizeof (*cache));
++ if (!cache)
++ goto cache_lv_fail;
++ cache->lv = grub_zalloc (sizeof (*cache->lv));
++ if (!cache->lv)
++ goto cache_lv_fail;
++ grub_memcpy (cache->lv, lv, sizeof (*cache->lv));
++
++ if (lv->fullname)
++ {
++ cache->lv->fullname = grub_strdup (lv->fullname);
++ if (!cache->lv->fullname)
++ goto cache_lv_fail;
++ }
++ if (lv->idname)
++ {
++ cache->lv->idname = grub_strdup (lv->idname);
++ if (!cache->lv->idname)
++ goto cache_lv_fail;
++ }
++ if (lv->name)
++ {
++ cache->lv->name = grub_strdup (lv->name);
++ if (!cache->lv->name)
++ goto cache_lv_fail;
++ }
++
++ skip_lv = 1;
++
++ p2 = grub_strstr (p, "cache_pool = \"");
++ if (!p2)
++ goto cache_lv_fail;
++
++ p2 = grub_strchr (p2, '"');
++ if (!p2)
++ goto cache_lv_fail;
++
++ p3 = ++p2;
++ p3 = grub_strchr (p3, '"');
++ if (!p3)
++ goto cache_lv_fail;
++
++ sz = p3 - p2;
++
++ cache->cache_pool = grub_malloc (sz + 1);
++ if (!cache->cache_pool)
++ goto cache_lv_fail;
++ grub_memcpy (cache->cache_pool, p2, sz);
++ cache->cache_pool[sz] = '\0';
++
++ p2 = grub_strstr (p, "origin = \"");
++ if (!p2)
++ goto cache_lv_fail;
++
++ p2 = grub_strchr (p2, '"');
++ if (!p2)
++ goto cache_lv_fail;
++
++ p3 = ++p2;
++ p3 = grub_strchr (p3, '"');
++ if (!p3)
++ goto cache_lv_fail;
++
++ sz = p3 - p2;
++
++ cache->origin = grub_malloc (sz + 1);
++ if (!cache->origin)
++ goto cache_lv_fail;
++ grub_memcpy (cache->origin, p2, sz);
++ cache->origin[sz] = '\0';
++
++ cache->next = cache_lvs;
++ cache_lvs = cache;
++ break;
++
++ cache_lv_fail:
++ if (cache)
++ {
++ grub_free (cache->origin);
++ grub_free (cache->cache_pool);
++ if (cache->lv)
++ {
++ grub_free (cache->lv->fullname);
++ grub_free (cache->lv->idname);
++ grub_free (cache->lv->name);
++ }
++ grub_free (cache->lv);
++ grub_free (cache);
++ }
++ grub_lvm_free_cache_lvs (cache_lvs);
++ goto fail4;
++ }
+ else
+ {
+ #ifdef GRUB_UTIL
+@@ -747,6 +885,58 @@ grub_lvm_detect (grub_disk_t disk,
+ }
+
+ }
++
++ {
++ struct cache_lv *cache;
++
++ for (cache = cache_lvs; cache; cache = cache->next)
++ {
++ struct grub_diskfilter_lv *lv;
++
++ for (lv = vg->lvs; lv; lv = lv->next)
++ if (grub_strcmp (lv->name, cache->origin) == 0)
++ break;
++ if (lv)
++ {
++ cache->lv->segments = grub_malloc (lv->segment_count * sizeof (*lv->segments));
++ if (!cache->lv->segments)
++ {
++ grub_lvm_free_cache_lvs (cache_lvs);
++ goto fail4;
++ }
++ grub_memcpy (cache->lv->segments, lv->segments, lv->segment_count * sizeof (*lv->segments));
++
++ for (i = 0; i < lv->segment_count; ++i)
++ {
++ struct grub_diskfilter_node *nodes = lv->segments[i].nodes;
++ grub_size_t node_count = lv->segments[i].node_count;
++
++ cache->lv->segments[i].nodes = grub_malloc (node_count * sizeof (*nodes));
++ if (!cache->lv->segments[i].nodes)
++ {
++ for (j = 0; j < i; ++j)
++ grub_free (cache->lv->segments[j].nodes);
++ grub_free (cache->lv->segments);
++ cache->lv->segments = NULL;
++ grub_lvm_free_cache_lvs (cache_lvs);
++ goto fail4;
++ }
++ grub_memcpy (cache->lv->segments[i].nodes, nodes, node_count * sizeof (*nodes));
++ }
++
++ if (cache->lv->segments)
++ {
++ cache->lv->segment_count = lv->segment_count;
++ cache->lv->vg = vg;
++ cache->lv->next = vg->lvs;
++ vg->lvs = cache->lv;
++ cache->lv = NULL;
++ }
++ }
++ }
++ }
++
++ grub_lvm_free_cache_lvs (cache_lvs);
+ if (grub_diskfilter_vg_register (vg))
+ goto fail4;
+ }
+--
+2.14.4
+
diff --git a/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch
new file mode 100644
index 0000000000..504352b4e3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch
@@ -0,0 +1,107 @@
+From b5a6aa7d77439bfeb75f200abffe15c6f685c907 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg@redhat.com>
+Date: Mon, 13 Jan 2014 12:13:09 +0000
+Subject: Don't permit loading modules on UEFI secure boot
+
+Author: Colin Watson <cjwatson@ubuntu.com>
+Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub-2.00-no-insmod-on-sb.patch
+Forwarded: no
+Last-Update: 2013-12-25
+
+Patch-Name: no-insmod-on-sb.patch
+
+Upstream-Status: Inappropriate [other, https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch]
+
+Backport of a Debian (and Fedora) patch implementing a way to get secure boot status
+for CVE-2020-14372_4.patch. The upstream solution has too many dependencies to backport.
+Source: https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch
+
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/dl.c | 13 +++++++++++++
+ grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
+ include/grub/efi/efi.h | 1 +
+ 3 files changed, 42 insertions(+)
+
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index 48eb5e7b6..074dfc3c6 100644
+--- a/grub-core/kern/dl.c
++++ b/grub-core/kern/dl.c
+@@ -38,6 +38,10 @@
+ #define GRUB_MODULES_MACHINE_READONLY
+ #endif
+
++#ifdef GRUB_MACHINE_EFI
++#include <grub/efi/efi.h>
++#endif
++
+
+
+ #pragma GCC diagnostic ignored "-Wcast-align"
+@@ -686,6 +690,15 @@ grub_dl_load_file (const char *filename)
+ void *core = 0;
+ grub_dl_t mod = 0;
+
++#ifdef GRUB_MACHINE_EFI
++ if (grub_efi_secure_boot ())
++ {
++ grub_error (GRUB_ERR_ACCESS_DENIED,
++ "Secure Boot forbids loading module from %s", filename);
++ return 0;
++ }
++#endif
++
+ grub_boot_time ("Loading module %s", filename);
+
+ file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 6e1ceb905..96204e39b 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -273,6 +273,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+ return NULL;
+ }
+
++grub_efi_boolean_t
++grub_efi_secure_boot (void)
++{
++ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
++ grub_size_t datasize;
++ char *secure_boot = NULL;
++ char *setup_mode = NULL;
++ grub_efi_boolean_t ret = 0;
++
++ secure_boot = grub_efi_get_variable ("SecureBoot", &efi_var_guid, &datasize);
++
++ if (datasize != 1 || !secure_boot)
++ goto out;
++
++ setup_mode = grub_efi_get_variable ("SetupMode", &efi_var_guid, &datasize);
++
++ if (datasize != 1 || !setup_mode)
++ goto out;
++
++ if (*secure_boot && !*setup_mode)
++ ret = 1;
++
++ out:
++ grub_free (secure_boot);
++ grub_free (setup_mode);
++ return ret;
++}
++
+ #pragma GCC diagnostic ignored "-Wcast-align"
+
+ /* Search the mods section from the PE32/PE32+ image. This code uses
+diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
+index e90e00dc4..a237952b3 100644
+--- a/include/grub/efi/efi.h
++++ b/include/grub/efi/efi.h
+@@ -82,6 +82,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
+ const grub_efi_guid_t *guid,
+ void *data,
+ grub_size_t datasize);
++grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
+ int
+ EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
+ const grub_efi_device_path_t *dp2);
diff --git a/meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch b/meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch
new file mode 100644
index 0000000000..29021e8d8f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/safemath-Add-some-arithmetic-primitives-that-check-f.patch
@@ -0,0 +1,94 @@
+From 06c361a71c4998635493610e5d76d0d223925251 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 10:58:42 -0400
+Subject: [PATCH 5/9] safemath: Add some arithmetic primitives that check for
+ overflow
+
+This adds a new header, include/grub/safemath.h, that includes easy to
+use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
+
+ bool OP(a, b, res)
+
+where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
+case where the operation would overflow and res is not modified.
+Otherwise, false is returned and the operation is executed.
+
+These arithmetic primitives require newer compiler versions. So, bump
+these requirements in the INSTALL file too.
+
+Upstream-Status: Backport [commit 68708c4503018d61dbcce7ac11cbb511d6425f4d
+from https://git.savannah.gnu.org/git/grub.git]
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+[YL: omit the change to INSTALL from original patch]
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ include/grub/compiler.h | 8 ++++++++
+ include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 45 insertions(+)
+ create mode 100644 include/grub/safemath.h
+
+diff --git a/include/grub/compiler.h b/include/grub/compiler.h
+index c9e1d7a..8f3be3a 100644
+--- a/include/grub/compiler.h
++++ b/include/grub/compiler.h
+@@ -48,4 +48,12 @@
+ # define WARN_UNUSED_RESULT
+ #endif
+
++#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__)
++# define CLANG_PREREQ(maj,min) \
++ ((__clang_major__ > (maj)) || \
++ (__clang_major__ == (maj) && __clang_minor__ >= (min)))
++#else
++# define CLANG_PREREQ(maj,min) 0
++#endif
++
+ #endif /* ! GRUB_COMPILER_HEADER */
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+new file mode 100644
+index 0000000..c17b89b
+--- /dev/null
++++ b/include/grub/safemath.h
+@@ -0,0 +1,37 @@
++/*
++ * GRUB -- GRand Unified Bootloader
++ * Copyright (C) 2020 Free Software Foundation, Inc.
++ *
++ * GRUB is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation, either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GRUB is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Arithmetic operations that protect against overflow.
++ */
++
++#ifndef GRUB_SAFEMATH_H
++#define GRUB_SAFEMATH_H 1
++
++#include <grub/compiler.h>
++
++/* These appear in gcc 5.1 and clang 3.8. */
++#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
++
++#define grub_add(a, b, res) __builtin_add_overflow(a, b, res)
++#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
++#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
++
++#else
++#error gcc 5.1 or newer or clang 3.8 or newer is required
++#endif
++
++#endif /* GRUB_SAFEMATH_H */
+--
+2.14.4
+
diff --git a/meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch b/meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch
new file mode 100644
index 0000000000..84a80d5ffd
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/script-Remove-unused-fields-from-grub_script_functio.patch
@@ -0,0 +1,37 @@
+From e219bad8cee67b2bb21712df8f055706f8da25d2 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 10 Jul 2020 11:21:14 +0100
+Subject: [PATCH 7/9] script: Remove unused fields from grub_script_function
+ struct
+
+Upstream-Status: Backport [commit 1a8d9c9b4ab6df7669b5aa36a56477f297825b96
+from https://git.savannah.gnu.org/git/grub.git]
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ include/grub/script_sh.h | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
+index 360c2be..b382bcf 100644
+--- a/include/grub/script_sh.h
++++ b/include/grub/script_sh.h
+@@ -359,13 +359,8 @@ struct grub_script_function
+ /* The script function. */
+ struct grub_script *func;
+
+- /* The flags. */
+- unsigned flags;
+-
+ /* The next element. */
+ struct grub_script_function *next;
+-
+- int references;
+ };
+ typedef struct grub_script_function *grub_script_function_t;
+
+--
+2.14.4
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-18 00:03:02 +0000