Backport R_RISCV_CALL_PLT reloc patch for riscv64

Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>

0001-RISC-V-Handle-R_RISCV_CALL_PLT-reloc.patch

@@ -0,0 +1,56 @@
+From 403d6540cd608b2706cfa0cb4713f7e4b490ff45 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 23 Feb 2023 13:15:08 -0800
+Subject: [PATCH] RISC-V: Handle R_RISCV_CALL_PLT reloc
+
+GNU assembler starting 2.40 release always generates R_RISCV_CALL_PLT
+reloc for call in assembler [1], similarly LLVM does not make
+distinction between R_RISCV_CALL_PLT and R_RISCV_CALL [2].
+
+Fixes "grub-mkimage: error: relocation 0x13 is not implemented yet.".
+
+[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=70f35d72ef04cd23771875c1661c9975044a749c
+[2] https://reviews.llvm.org/D132530
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/riscv/dl.c | 1 +
+ util/grub-mkimagexx.c     | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/grub-core/kern/riscv/dl.c b/grub-core/kern/riscv/dl.c
+index f26b12aaa..896653bb4 100644
+--- a/grub-core/kern/riscv/dl.c
++++ b/grub-core/kern/riscv/dl.c
+@@ -188,6 +188,7 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr,
+ 	  break;
+ 
+ 	case R_RISCV_CALL:
++	case R_RISCV_CALL_PLT:
+ 	  {
+ 	    grub_uint32_t *abs_place = place;
+ 	    grub_ssize_t off = sym_addr - (grub_addr_t) place;
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index a1927e786..c5fb336e9 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -1294,6 +1294,7 @@ SUFFIX (relocate_addrs) (Elf_Ehdr *e, struct section_metadata *smd,
+ 		     }
+ 		     break;
+ 		   case R_RISCV_CALL:
++		   case R_RISCV_CALL_PLT:
+ 		     {
+ 		       grub_uint32_t hi20, lo12;
+ 
+@@ -1726,6 +1727,7 @@ translate_relocation_pe (struct translate_context *ctx,
+ 	case R_RISCV_BRANCH:
+ 	case R_RISCV_JAL:
+ 	case R_RISCV_CALL:
++	case R_RISCV_CALL_PLT:
+ 	case R_RISCV_PCREL_HI20:
+ 	case R_RISCV_PCREL_LO12_I:
+ 	case R_RISCV_PCREL_LO12_S:
+-- 
+2.41.0
+

0347-normal-Remove-grub_env_set-prefix-in-grub_try_normal.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nicolas Frayer <nfrayer@redhat.com>
+Date: Tue, 19 Dec 2023 16:52:05 +0100
+Subject: [PATCH] normal: Remove grub_env_set prefix in grub_try_normal_prefix
+
+Commit de735a453aa35 added a grub_env_set where the prefix contains
+the arch name in the pathname. This create issues when trying to
+load modules using this prefix as the pathname contains a "doubled"
+arch name in it (ie .../powerpc-ieee1275/powerpc-ieee1275/).
+
+Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
+---
+ grub-core/normal/main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index d59145f861d5..bac7b8a0e1d8 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -372,7 +372,6 @@ grub_try_normal_prefix (const char *prefix)
+            file = grub_file_open (config, GRUB_FILE_TYPE_CONFIG);
+            if (file)
+              {
+-               grub_env_set ("prefix", prefix);
+                grub_file_close (file);
+                err = GRUB_ERR_NONE;
+              }

0348-add-flag-to-only-search-root-dev.patch

@@ -0,0 +1,160 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Marta Lewandowska <mlewando@redhat.com>
+Date: Mon, 9 Oct 2023 08:53:18 +0200
+Subject: [PATCH] add flag to only search root dev
+
+fixes bz#2223437
+
+Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
+---
+ grub-core/commands/search.c      | 36 ++++++++++++++++++++++++++++++++++++
+ grub-core/commands/search_wrap.c |  5 +++++
+ grub-core/kern/misc.c            | 30 ++++++++++++++++++++++++++++++
+ include/grub/misc.h              |  1 +
+ include/grub/search.h            |  3 ++-
+ 5 files changed, 74 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/search.c b/grub-core/commands/search.c
+index 57d26ced8a8e..819231751c38 100644
+--- a/grub-core/commands/search.c
++++ b/grub-core/commands/search.c
+@@ -85,6 +85,42 @@ iterate_device (const char *name, void *data)
+       grub_device_close (dev);
+     }
+ 
++  /* Skip it if it's not the root device when requested. */
++  if (ctx->flags & SEARCH_FLAGS_ROOTDEV_ONLY)
++    {
++      const char *root_dev;
++      root_dev = grub_env_get ("root");
++      if (root_dev != NULL && *root_dev != '\0')
++      {
++        char *root_disk = grub_malloc (grub_strlen(root_dev) + 1);
++        char *name_disk = grub_malloc (grub_strlen(name) + 1);
++        char *rem_1 = grub_malloc(grub_strlen(root_dev) + 1);
++        char *rem_2 = grub_malloc(grub_strlen(name) + 1);
++
++	if (root_disk != NULL && name_disk != NULL && 
++	    rem_1 != NULL && rem_2 != NULL)
++  	  {
++            /* get just the disk name; partitions will be different. */
++            grub_str_sep (root_dev, root_disk, ',', rem_1);
++            grub_str_sep (name, name_disk, ',', rem_2);
++            if (root_disk != NULL && *root_disk != '\0' &&
++    	        name_disk != NULL && *name_disk != '\0')
++              if (grub_strcmp(root_disk, name_disk) != 0)
++                {
++                  grub_free (root_disk);
++                  grub_free (name_disk);
++                  grub_free (rem_1);
++                  grub_free (rem_2);
++                  return 0;
++                }
++	  }
++        grub_free (root_disk);
++        grub_free (name_disk);
++        grub_free (rem_1);
++        grub_free (rem_2);
++      }
++    }
++
+ #ifdef DO_SEARCH_FS_UUID
+ #define compare_fn grub_strcasecmp
+ #else
+diff --git a/grub-core/commands/search_wrap.c b/grub-core/commands/search_wrap.c
+index 0b62acf85359..06b5f51eefb5 100644
+--- a/grub-core/commands/search_wrap.c
++++ b/grub-core/commands/search_wrap.c
+@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] =
+      ARG_TYPE_STRING},
+     {"no-floppy",	'n', 0, N_("Do not probe any floppy drive."), 0, 0},
+     {"efidisk-only",	0, 0, N_("Only probe EFI disks."), 0, 0},
++    {"root-dev-only",  'r', 0, N_("Only probe root device."), 0, 0},
+     {"hint",	        'h', GRUB_ARG_OPTION_REPEATABLE,
+      N_("First try the device HINT. If HINT ends in comma, "
+ 	"also try subpartitions"), N_("HINT"), ARG_TYPE_STRING},
+@@ -75,6 +76,7 @@ enum options
+     SEARCH_SET,
+     SEARCH_NO_FLOPPY,
+     SEARCH_EFIDISK_ONLY,
++    SEARCH_ROOTDEV_ONLY,
+     SEARCH_HINT,
+     SEARCH_HINT_IEEE1275,
+     SEARCH_HINT_BIOS,
+@@ -189,6 +191,9 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
+   if (state[SEARCH_EFIDISK_ONLY].set)
+     flags |= SEARCH_FLAGS_EFIDISK_ONLY;
+ 
++  if (state[SEARCH_ROOTDEV_ONLY].set)
++    flags |= SEARCH_FLAGS_ROOTDEV_ONLY;
++
+   if (state[SEARCH_LABEL].set)
+     grub_search_label (id, var, flags, hints, nhints);
+   else if (state[SEARCH_FS_UUID].set)
+diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
+index cb454614022f..c0ac7fee6cc2 100644
+--- a/grub-core/kern/misc.c
++++ b/grub-core/kern/misc.c
+@@ -619,6 +619,36 @@ grub_reverse (char *str)
+     }
+ }
+ 
++/* Separate string into two parts, broken up by delimiter delim. */
++void
++grub_str_sep (const char *s, char *p, char delim, char *r)
++{
++  char* t = grub_strndup(s, grub_strlen(s));
++
++  if (t != NULL && *t != '\0')
++  {
++    char* tmp = t;
++  
++    while (((*p = *t) != '\0') && ((*p = *t) != delim))
++    {
++      p++;
++      t++;
++    }
++    *p = '\0';
++  
++    if (*t != '\0')
++    {
++      t++;
++      while ((*r++ = *t++) != '\0')
++        ;
++      *r = '\0';
++    }
++    grub_free (tmp);
++  }
++  else
++    grub_free (t);
++}
++
+ /* Divide N by D, return the quotient, and store the remainder in *R.  */
+ grub_uint64_t
+ grub_divmod64 (grub_uint64_t n, grub_uint64_t d, grub_uint64_t *r)
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index faae0ae8606c..981526644d29 100644
+--- a/include/grub/misc.h
++++ b/include/grub/misc.h
+@@ -314,6 +314,7 @@ void *EXPORT_FUNC(grub_memset) (void *s, int c, grub_size_t n);
+ grub_size_t EXPORT_FUNC(grub_strlen) (const char *s) WARN_UNUSED_RESULT;
+ int EXPORT_FUNC(grub_printf) (const char *fmt, ...) __attribute__ ((format (GNU_PRINTF, 1, 2)));
+ int EXPORT_FUNC(grub_printf_) (const char *fmt, ...) __attribute__ ((format (GNU_PRINTF, 1, 2)));
++void EXPORT_FUNC(grub_str_sep) (const char *s, char *p, char delim, char *r);
+ 
+ /* Replace all `ch' characters of `input' with `with' and copy the
+    result into `output'; return EOS address of `output'. */
+diff --git a/include/grub/search.h b/include/grub/search.h
+index 4190aeb2cbf5..321d1400e451 100644
+--- a/include/grub/search.h
++++ b/include/grub/search.h
+@@ -22,7 +22,8 @@
+ enum search_flags
+   {
+     SEARCH_FLAGS_NO_FLOPPY	= 1,
+-    SEARCH_FLAGS_EFIDISK_ONLY	= 2
++    SEARCH_FLAGS_EFIDISK_ONLY	= 2,
++    SEARCH_FLAGS_ROOTDEV_ONLY	= 4
+   };
+ 
+ void grub_search_fs_file (const char *key, const char *var,

0349-Ignore-warnings-for-incompatible-types.patch

@@ -0,0 +1,28 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nicolas Frayer <nfrayer@redhat.com>
+Date: Wed, 17 Jan 2024 21:15:14 +0100
+Subject: [PATCH] Ignore warnings for incompatible types
+
+Add -Wno-incompatible-pointer-types to ignore warnings for incompatible
+types
+
+Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
+---
+ configure.ac | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 79f45ef1e14c..b66e07c67851 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2009,8 +2009,8 @@ if test x"$enable_wextra" != xno ; then
+   HOST_CFLAGS="$HOST_CFLAGS -Wextra"
+ fi
+ 
+-TARGET_CFLAGS="$TARGET_CFLAGS -Werror=trampolines -fno-trampolines"
+-HOST_CFLAGS="$HOST_CFLAGS -Werror=trampolines -fno-trampolines"
++TARGET_CFLAGS="$TARGET_CFLAGS -Werror=trampolines -fno-trampolines -Wno-incompatible-pointer-types"
++HOST_CFLAGS="$HOST_CFLAGS -Werror=trampolines -fno-trampolines -Wno-incompatible-pointer-types"
+ 
+ TARGET_CPP="$TARGET_CC -E"
+ TARGET_CCAS=$TARGET_CC

0351-grub-set-bootflag-Conservative-partial-fix-for-CVE-2.patch

@@ -0,0 +1,146 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Solar Designer <solar@openwall.com>
+Date: Tue, 6 Feb 2024 21:39:41 +0100
+Subject: [PATCH] grub-set-bootflag: Conservative partial fix for CVE-2024-1048
+
+Following up on CVE-2019-14865 and taking a fresh look at
+grub2-set-bootflag now (through my work at CIQ on Rocky Linux), I saw some
+other ways in which users could still abuse this little program:
+
+1. After CVE-2019-14865 fix, grub2-set-bootflag no longer rewrites the
+grubenv file in-place, but writes into a temporary file and renames it
+over the original, checking for error returns from each call first.
+This prevents the original file truncation vulnerability, but it can
+leave the temporary file around if the program is killed before it can
+rename or remove the file.  There are still many ways to get the program
+killed, such as through RLIMIT_FSIZE triggering SIGXFSZ (tested,
+reliable) or by careful timing (tricky) of signals sent by process group
+leader, pty, pre-scheduled timers, SIGXCPU (probably not an exhaustive
+list).  Invoking the program multiple times fills up /boot (or if /boot
+is not separate, then it can fill up the root filesystem).  Since the
+files are tiny, the filesystem is likely to run out of free inodes
+before it'd run out of blocks, but the effect is similar - can't create
+new files after this point (but still can add data to existing files,
+such as logs).
+
+2. After CVE-2019-14865 fix, grub2-set-bootflag naively tries to protect
+itself from signals by becoming full root.  (This does protect it from
+signals sent by the user directly to the PID, but e.g. "kill -9 -1" by
+the user still works.)  A side effect of such "protection" is that it's
+possible to invoke more concurrent instances of grub2-set-bootflag than
+the user's RLIMIT_NPROC would normally permit (as specified e.g. in
+/etc/security/limits.conf, or say in Apache httpd's RLimitNPROC if
+grub2-set-bootflag would be abused by a website script), thereby
+exhausting system resources (e.g., bypassing RAM usage limit if
+RLIMIT_AS was also set).
+
+3. umask is inherited.  Again, due to how the CVE-2019-14865 fix creates
+a new file, and due to how mkstemp() works, this affects grubenv's new
+file permissions.  Luckily, mkstemp() forces them to be no more relaxed
+than 0600, but the user ends up being able to set them e.g. to 0.
+Luckily, at least in my testing GRUB still works fine even when the file
+has such (lack of) permissions.
+
+This commit deals with the abuses above as follows:
+
+1. RLIMIT_FSIZE is pre-checked, so this specific way to get the process
+killed should no longer work.  However, this isn't a complete fix
+because there are other ways to get the process killed after it has
+created the temporary file.
+
+The commit also fixes bug 1975892 ("RFE: grub2-set-bootflag should not
+write the grubenv when the flag being written is already set") and
+similar for "menu_show_once", which further reduces the abuse potential.
+
+2. RLIMIT_NPROC bypass should be avoided by not becoming full root (aka
+dropping the partial "kill protection").
+
+3. A safe umask is set.
+
+This is a partial fix (temporary files can still accumulate, but this is
+harder to trigger).
+
+While at it, this commit also fixes potential 1- or 2-byte over-read of
+env[] if its content is malformed - this was not a security issue since the
+grubenv file is trusted input, and the fix is just for robustness.
+
+Signed-off-by: Solar Designer <solar@openwall.com>
+---
+ util/grub-set-bootflag.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index 3b4c25ca2ac6..5bbbef804391 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -33,6 +33,8 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <sys/stat.h>
++#include <sys/resource.h>
+ 
+ #include "progname.h"
+ 
+@@ -57,12 +59,17 @@ static void usage(FILE *out)
+ int main(int argc, char *argv[])
+ {
+   /* NOTE buf must be at least the longest bootflag length + 4 bytes */
+-  char env[GRUBENV_SIZE + 1], buf[64], *s;
++  char env[GRUBENV_SIZE + 1 + 2], buf[64], *s;
+   /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
+   char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
+   const char *bootflag;
+   int i, fd, len, ret;
+   FILE *f;
++  struct rlimit rlim;
++
++  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
++    return 1;
++  umask(077);
+ 
+   if (argc != 2)
+     {
+@@ -94,20 +101,11 @@ int main(int argc, char *argv[])
+   len = strlen (bootflag);
+ 
+   /*
+-   * Really become root. setuid avoids an user killing us, possibly leaking
+-   * the tmpfile. setgid avoids the new grubenv's gid being that of the user.
++   * setegid avoids the new grubenv's gid being that of the user.
+    */
+-  ret = setuid(0);
+-  if (ret)
++  if (setegid(0))
+     {
+-      perror ("Error setuid(0) failed");
+-      return 1;
+-    }
+-
+-  ret = setgid(0);
+-  if (ret)
+-    {
+-      perror ("Error setgid(0) failed");
++      perror ("Error setegid(0) failed");
+       return 1;
+     }
+ 
+@@ -136,6 +134,9 @@ int main(int argc, char *argv[])
+ 
+   /* 0 terminate env */
+   env[GRUBENV_SIZE] = 0;
++  /* not a valid flag value */
++  env[GRUBENV_SIZE + 1] = 0;
++  env[GRUBENV_SIZE + 2] = 0;
+ 
+   if (strncmp (env, GRUB_ENVBLK_SIGNATURE, strlen (GRUB_ENVBLK_SIGNATURE)))
+     {
+@@ -171,6 +172,8 @@ int main(int argc, char *argv[])
+ 
+   /* The grubenv is not 0 terminated, so memcpy the name + '=' , '1', '\n' */
+   snprintf(buf, sizeof(buf), "%s=1\n", bootflag);
++  if (!memcmp(s, buf, len + 3))
++    return 0; /* nothing to do */
+   memcpy(s, buf, len + 3);
+ 
+ 

0352-grub-set-bootflag-More-complete-fix-for-CVE-2024-104.patch

@@ -0,0 +1,187 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Solar Designer <solar@openwall.com>
+Date: Tue, 6 Feb 2024 21:56:21 +0100
+Subject: [PATCH] grub-set-bootflag: More complete fix for CVE-2024-1048
+
+Switch to per-user fixed temporary filenames along with a weird locking
+mechanism, which is explained in source code comments.  This is a more
+complete fix than the previous commit (temporary files can't accumulate).
+Unfortunately, it introduces new risks (by working on a temporary file
+shared between the user's invocations), which are _hopefully_ avoided by
+the patch's elaborate logic.  I actually got it wrong at first, which
+suggests that this logic is hard to reason about, and more errors or
+omissions are possible.  It also relies on the kernel's primitives' exact
+semantics to a greater extent (nothing out of the ordinary, though).
+
+Remaining issues that I think cannot reasonably be fixed without a
+redesign (e.g., having per-flag files with nothing else in them) and
+without introducing new issues:
+
+A. A user can still revert a concurrent user's attempt of setting the
+other flag - or of making other changes to grubenv by means other than
+this program.
+
+B. One leftover temporary file per user is still possible.
+
+Signed-off-by: Solar Designer <solar@openwall.com>
+---
+ util/grub-set-bootflag.c | 95 ++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 79 insertions(+), 16 deletions(-)
+
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index 5bbbef804391..514c4f9091ac 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -33,6 +33,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <sys/file.h>
+ #include <sys/stat.h>
+ #include <sys/resource.h>
+ 
+@@ -60,15 +61,12 @@ int main(int argc, char *argv[])
+ {
+   /* NOTE buf must be at least the longest bootflag length + 4 bytes */
+   char env[GRUBENV_SIZE + 1 + 2], buf[64], *s;
+-  /* +1 for 0 termination, +6 for "XXXXXX" in tmp filename */
+-  char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 6 + 1];
++  /* +1 for 0 termination, +11 for ".%u" in tmp filename */
++  char env_filename[PATH_MAX + 1], tmp_filename[PATH_MAX + 11 + 1];
+   const char *bootflag;
+   int i, fd, len, ret;
+   FILE *f;
+-  struct rlimit rlim;
+ 
+-  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
+-    return 1;
+   umask(077);
+ 
+   if (argc != 2)
+@@ -105,7 +103,7 @@ int main(int argc, char *argv[])
+    */
+   if (setegid(0))
+     {
+-      perror ("Error setegid(0) failed");
++      perror ("setegid(0) failed");
+       return 1;
+     }
+ 
+@@ -176,19 +174,82 @@ int main(int argc, char *argv[])
+     return 0; /* nothing to do */
+   memcpy(s, buf, len + 3);
+ 
++  struct rlimit rlim;
++  if (getrlimit(RLIMIT_FSIZE, &rlim) || rlim.rlim_cur < GRUBENV_SIZE || rlim.rlim_max < GRUBENV_SIZE)
++    {
++      fprintf (stderr, "Resource limits undetermined or too low\n");
++      return 1;
++    }
++
++  /*
++   * Here we work under the premise that we shouldn't write into the target
++   * file directly because we might not be able to have all of our changes
++   * written completely and atomically.  That was CVE-2019-14865, known to
++   * have been triggerable via RLIMIT_FSIZE.  While we've dealt with that
++   * specific attack via the check above, there may be other possibilities.
++   */
+ 
+   /*
+    * Create a tempfile for writing the new env.  Use the canonicalized filename
+    * for the template so that the tmpfile is in the same dir / on same fs.
++   *
++   * We now use per-user fixed temporary filenames, so that a user cannot cause
++   * multiple files to accumulate.
++   *
++   * We don't use O_EXCL so that a stale temporary file doesn't prevent further
++   * usage of the program by the user.
+    */
+-  snprintf(tmp_filename, sizeof(tmp_filename), "%sXXXXXX", env_filename);
+-  fd = mkstemp(tmp_filename);
++  snprintf(tmp_filename, sizeof(tmp_filename), "%s.%u", env_filename, getuid());
++  fd = open(tmp_filename, O_CREAT | O_WRONLY, 0600);
+   if (fd == -1)
+     {
+       perror ("Creating tmpfile failed");
+       return 1;
+     }
+ 
++  /*
++   * The lock prevents the same user from reaching further steps ending in
++   * rename() concurrently, in which case the temporary file only partially
++   * written by one invocation could be renamed to the target file by another.
++   *
++   * The lock also guards the slow fsync() from concurrent calls.  After the
++   * first time that and the rename() complete, further invocations for the
++   * same flag become no-ops.
++   *
++   * We lock the temporary file rather than the target file because locking the
++   * latter would allow any user having SIGSTOP'ed their process to make all
++   * other users' invocations fail (or lock up if we'd use blocking mode).
++   *
++   * We use non-blocking mode (LOCK_NB) because the lock having been taken by
++   * another process implies that the other process would normally have already
++   * renamed the file to target by the time it releases the lock (and we could
++   * acquire it), so we'd be working directly on the target if we proceeded,
++   * which is undesirable, and we'd kind of fail on the already-done rename.
++   */
++  if (flock(fd, LOCK_EX | LOCK_NB))
++    {
++      perror ("Locking tmpfile failed");
++      return 1;
++    }
++
++  /*
++   * Deal with the potential that another invocation proceeded all the way to
++   * rename() and process exit while we were between open() and flock().
++   */
++  {
++    struct stat st1, st2;
++    if (fstat(fd, &st1) || stat(tmp_filename, &st2))
++      {
++        perror ("stat of tmpfile failed");
++        return 1;
++      }
++    if (st1.st_dev != st2.st_dev || st1.st_ino != st2.st_ino)
++      {
++        fprintf (stderr, "Another invocation won race\n");
++        return 1;
++      }
++  }
++
+   f = fdopen (fd, "w");
+   if (!f)
+     {
+@@ -213,6 +274,14 @@ int main(int argc, char *argv[])
+       return 1;     
+     }
+ 
++  ret = ftruncate (fileno (f), GRUBENV_SIZE);
++  if (ret)
++    {
++      perror ("Error truncating tmpfile");
++      unlink(tmp_filename);
++      return 1;
++    }
++
+   ret = fsync (fileno (f));
+   if (ret)
+     {
+@@ -221,15 +290,9 @@ int main(int argc, char *argv[])
+       return 1;
+     }
+ 
+-  ret = fclose (f);
+-  if (ret)
+-    {
+-      perror ("Error closing tmpfile");
+-      unlink(tmp_filename);
+-      return 1;
+-    }
+-
+   /*
++   * We must not close the file before rename() as that would remove the lock.
++   *
+    * And finally rename the tmpfile with the new env over the old env, the
+    * linux kernel guarantees that this is atomic (from a syscall pov).
+    */

0353-grub-set-bootflag-Exit-calmly-when-not-running-as-ro.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Solar Designer <solar@openwall.com>
+Date: Tue, 6 Feb 2024 22:05:45 +0100
+Subject: [PATCH] grub-set-bootflag: Exit calmly when not running as root
+
+Exit calmly when not installed SUID root and invoked by non-root.  This
+allows installing user/grub-boot-success.service unconditionally while
+supporting non-SUID installation of the program for some limited usage.
+
+Signed-off-by: Solar Designer <solar@openwall.com>
+---
+ util/grub-set-bootflag.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/util/grub-set-bootflag.c b/util/grub-set-bootflag.c
+index 514c4f9091ac..31a868aeca8a 100644
+--- a/util/grub-set-bootflag.c
++++ b/util/grub-set-bootflag.c
+@@ -98,6 +98,17 @@ int main(int argc, char *argv[])
+   bootflag = bootflags[i];
+   len = strlen (bootflag);
+ 
++  /*
++   * Exit calmly when not installed SUID root and invoked by non-root.  This
++   * allows installing user/grub-boot-success.service unconditionally while
++   * supporting non-SUID installation of the program for some limited usage.
++   */
++  if (geteuid())
++    {
++      printf ("grub-set-bootflag not running as root, no action taken\n");
++      return 0;
++    }
++
+   /*
+    * setegid avoids the new grubenv's gid being that of the user.
+    */

0354-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch

@@ -0,0 +1,90 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Tue, 3 Oct 2023 19:12:23 +0200
+Subject: [PATCH] fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST
+ attribute for the $MFT file
+
+When parsing an extremely fragmented $MFT file, i.e., the file described
+using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
+containing bytes read from the underlying drive to store sector numbers,
+which are consumed later to read data from these sectors into another buffer.
+
+These sectors numbers, two 32-bit integers, are always stored at predefined
+offsets, 0x10 and 0x14, relative to first byte of the selected entry within
+the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
+
+However, when parsing a specially-crafted file system image, this may cause
+the NTFS code to write these integers beyond the buffer boundary, likely
+causing the GRUB memory allocator to misbehave or fail. These integers contain
+values which are controlled by on-disk structures of the NTFS file system.
+
+Such modification and resulting misbehavior may touch a memory range not
+assigned to the GRUB and owned by firmware or another EFI application/driver.
+
+This fix introduces checks to ensure that these sector numbers are never
+written beyond the boundary.
+
+Fixes: CVE-2023-4692
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 3511e4e2cb6f..4681c7ac32a8 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -184,7 +184,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+     }
+   if (at->attr_end)
+     {
+-      grub_uint8_t *pa;
++      grub_uint8_t *pa, *pa_end;
+ 
+       at->emft_buf = grub_malloc (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+       if (at->emft_buf == NULL)
+@@ -209,11 +209,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	    }
+ 	  at->attr_nxt = at->edat_buf;
+ 	  at->attr_end = at->edat_buf + u32at (pa, 0x30);
++	  pa_end = at->edat_buf + n;
+ 	}
+       else
+ 	{
+ 	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
+ 	  at->attr_end = at->attr_end + u32at (pa, 4);
++	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+ 	}
+       at->flags |= GRUB_NTFS_AF_ALST;
+       while (at->attr_nxt < at->attr_end)
+@@ -230,6 +232,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	  at->flags |= GRUB_NTFS_AF_GPOS;
+ 	  at->attr_cur = at->attr_nxt;
+ 	  pa = at->attr_cur;
++
++	  if ((pa >= pa_end) || (pa_end - pa < 0x18))
++	    {
++	      grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++	      return NULL;
++	    }
++
+ 	  grub_set_unaligned32 ((char *) pa + 0x10,
+ 				grub_cpu_to_le32 (at->mft->data->mft_start));
+ 	  grub_set_unaligned32 ((char *) pa + 0x14,
+@@ -240,6 +249,13 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	    {
+ 	      if (*pa != attr)
+ 		break;
++
++              if ((pa >= pa_end) || (pa_end - pa < 0x18))
++                {
++	          grub_error (GRUB_ERR_BAD_FS, "can\'t parse attribute list");
++	          return NULL;
++	        }
++
+ 	      if (read_attr
+ 		  (at, pa + 0x10,
+ 		   u32at (pa, 0x10) * (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),

0355-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch

@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Tue, 3 Oct 2023 19:12:24 +0200
+Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident
+ $DATA attribute
+
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+
+Fixes: CVE-2023-4693
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 4681c7ac32a8..1949d48a494f 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+     {
+       if (ofs + len > u32at (pa, 0x10))
+ 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+-      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
++
++      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
++
++      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+       return 0;
+     }
+ 

0356-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch

@@ -0,0 +1,70 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Tue, 3 Oct 2023 19:12:25 +0200
+Subject: [PATCH] fs/ntfs: Fix an OOB read when parsing directory entries from
+ resident and non-resident index attributes
+
+This fix introduces checks to ensure that index entries are never read
+beyond the corresponding directory index.
+
+The lack of this check is a minor issue, likely not exploitable in any way.
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 1949d48a494f..72302033281a 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -599,7 +599,7 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
+ }
+ 
+ static int
+-list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
++list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos, grub_uint8_t *end_pos,
+ 	   grub_fshelp_iterate_dir_hook_t hook, void *hook_data)
+ {
+   grub_uint8_t *np;
+@@ -610,6 +610,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
+       grub_uint8_t namespace;
+       char *ustr;
+ 
++      if ((pos >= end_pos) || (end_pos - pos < 0x52))
++        break;
++
+       if (pos[0xC] & 2)		/* end signature */
+ 	break;
+ 
+@@ -617,6 +620,9 @@ list_file (struct grub_ntfs_file *diro, grub_uint8_t *pos,
+       ns = *(np++);
+       namespace = *(np++);
+ 
++      if (2 * ns > end_pos - pos - 0x52)
++        break;
++
+       /*
+        *  Ignore files in DOS namespace, as they will reappear as Win32
+        *  names.
+@@ -802,7 +808,9 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+     }
+ 
+   cur_pos += 0x10;		/* Skip index root */
+-  ret = list_file (mft, cur_pos + u16at (cur_pos, 0), hook, hook_data);
++  ret = list_file (mft, cur_pos + u16at (cur_pos, 0),
++                   at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR),
++                   hook, hook_data);
+   if (ret)
+     goto done;
+ 
+@@ -889,6 +897,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 			     (const grub_uint8_t *) "INDX")))
+ 		goto done;
+ 	      ret = list_file (mft, &indx[0x18 + u16at (indx, 0x18)],
++			       indx + (mft->data->idx_size << GRUB_NTFS_BLK_SHR),
+ 			       hook, hook_data);
+ 	      if (ret)
+ 		goto done;

0357-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch

@@ -0,0 +1,48 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Tue, 3 Oct 2023 19:12:26 +0200
+Subject: [PATCH] fs/ntfs: Fix an OOB read when parsing bitmaps for index
+ attributes
+
+This fix introduces checks to ensure that bitmaps for directory indices
+are never read beyond their actual sizes.
+
+The lack of this check is a minor issue, likely not exploitable in any way.
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 72302033281a..74515114287f 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -839,6 +839,25 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 
+ 	  if (is_resident)
+ 	    {
++              if (bitmap_len > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++		{
++		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap too large");
++		  goto done;
++		}
++
++              if (cur_pos >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++		{
++		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
++		  goto done;
++		}
++
++              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
++		  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
++		{
++		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
++		  goto done;
++		}
++
+               grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
+                            bitmap_len);
+ 	    }

0358-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch

@@ -0,0 +1,58 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Tue, 3 Oct 2023 19:12:27 +0200
+Subject: [PATCH] fs/ntfs: Fix an OOB read when parsing a volume label
+
+This fix introduces checks to ensure that an NTFS volume label is always
+read from the corresponding file record segment.
+
+The current NTFS code allows the volume label string to be read from an
+arbitrary, attacker-chosen memory location. However, the bytes read are
+always treated as UTF-16LE. So, the final string displayed is mostly
+unreadable and it can't be easily converted back to raw bytes.
+
+The lack of this check is a minor issue, likely not causing a significant
+data leak.
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 74515114287f..32ba8276dd8d 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -1209,13 +1209,29 @@ grub_ntfs_label (grub_device_t device, char **label)
+ 
+   init_attr (&mft->attr, mft);
+   pa = find_attr (&mft->attr, GRUB_NTFS_AT_VOLUME_NAME);
++
++  if (pa >= mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++    {
++      grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
++      goto fail;
++    }
++
++  if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa < 0x16)
++    {
++      grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
++      goto fail;
++    }
++
+   if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
+     {
+       int len;
+ 
+       len = u32at (pa, 0x10) / 2;
+       pa += u16at (pa, 0x14);
+-      *label = get_utf8 (pa, len);
++      if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
++        *label = get_utf8 (pa, len);
++      else
++        grub_error (GRUB_ERR_BAD_FS, "can\'t parse volume label");
+     }
+ 
+ fail:

0359-fs-ntfs-Make-code-more-readable.patch

@@ -0,0 +1,156 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Tue, 3 Oct 2023 19:12:28 +0200
+Subject: [PATCH] fs/ntfs: Make code more readable
+
+Move some calls used to access NTFS attribute header fields into
+functions with human-readable names.
+
+Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/fs/ntfs.c | 48 +++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 32ba8276dd8d..991b1c2094f5 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -52,6 +52,24 @@ u64at (void *ptr, grub_size_t ofs)
+   return grub_le_to_cpu64 (grub_get_unaligned64 ((char *) ptr + ofs));
+ }
+ 
++static grub_uint16_t
++first_attr_off (void *mft_buf_ptr)
++{
++  return u16at (mft_buf_ptr, 0x14);
++}
++
++static grub_uint16_t
++res_attr_data_off (void *res_attr_ptr)
++{
++  return u16at (res_attr_ptr, 0x14);
++}
++
++static grub_uint32_t
++res_attr_data_len (void *res_attr_ptr)
++{
++  return u32at (res_attr_ptr, 0x10);
++}
++
+ grub_ntfscomp_func_t grub_ntfscomp_func;
+ 
+ static grub_err_t
+@@ -106,7 +124,7 @@ init_attr (struct grub_ntfs_attr *at, struct grub_ntfs_file *mft)
+ {
+   at->mft = mft;
+   at->flags = (mft == &mft->data->mmft) ? GRUB_NTFS_AF_MMFT : 0;
+-  at->attr_nxt = mft->buf + u16at (mft->buf, 0x14);
++  at->attr_nxt = mft->buf + first_attr_off (mft->buf);
+   at->attr_end = at->emft_buf = at->edat_buf = at->sbuf = NULL;
+ }
+ 
+@@ -154,7 +172,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 		    return NULL;
+ 		}
+ 
+-	      new_pos = &at->emft_buf[u16at (at->emft_buf, 0x14)];
++	      new_pos = &at->emft_buf[first_attr_off (at->emft_buf)];
+ 	      while (*new_pos != 0xFF)
+ 		{
+ 		  if ((*new_pos == *at->attr_cur)
+@@ -213,7 +231,7 @@ find_attr (struct grub_ntfs_attr *at, grub_uint8_t attr)
+ 	}
+       else
+ 	{
+-	  at->attr_nxt = at->attr_end + u16at (pa, 0x14);
++	  at->attr_nxt = at->attr_end + res_attr_data_off (pa);
+ 	  at->attr_end = at->attr_end + u32at (pa, 4);
+ 	  pa_end = at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR);
+ 	}
+@@ -399,20 +417,20 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+ 
+   if (pa[8] == 0)
+     {
+-      if (ofs + len > u32at (pa, 0x10))
++      if (ofs + len > res_attr_data_len (pa))
+ 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+ 
+-      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++      if (res_attr_data_len (pa) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+ 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
+ 
+       if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
+ 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+ 
+-      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++      if (res_attr_data_off (pa) + res_attr_data_len (pa) >
+ 	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
+ 	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
+ 
+-      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
++      grub_memcpy (dest, pa + res_attr_data_off (pa) + ofs, len);
+       return 0;
+     }
+ 
+@@ -556,7 +574,7 @@ init_file (struct grub_ntfs_file *mft, grub_uint64_t mftno)
+ 			   (unsigned long long) mftno);
+ 
+       if (!pa[8])
+-	mft->size = u32at (pa, 0x10);
++	mft->size = res_attr_data_len (pa);
+       else
+ 	mft->size = u64at (pa, 0x30);
+ 
+@@ -801,7 +819,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 	  (u32at (cur_pos, 0x18) != 0x490024) ||
+ 	  (u32at (cur_pos, 0x1C) != 0x300033))
+ 	continue;
+-      cur_pos += u16at (cur_pos, 0x14);
++      cur_pos += res_attr_data_off (cur_pos);
+       if (*cur_pos != 0x30)	/* Not filename index */
+ 	continue;
+       break;
+@@ -830,7 +848,7 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 	{
+           int is_resident = (cur_pos[8] == 0);
+ 
+-          bitmap_len = ((is_resident) ? u32at (cur_pos, 0x10) :
++          bitmap_len = ((is_resident) ? res_attr_data_len (cur_pos) :
+                         u32at (cur_pos, 0x28));
+ 
+           bmp = grub_malloc (bitmap_len);
+@@ -851,14 +869,14 @@ grub_ntfs_iterate_dir (grub_fshelp_node_t dir,
+ 		  goto done;
+ 		}
+ 
+-              if (u16at (cur_pos, 0x14) + u32at (cur_pos, 0x10) >
++              if (res_attr_data_off (cur_pos) + res_attr_data_len (cur_pos) >
+ 		  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) cur_pos)
+ 		{
+ 		  grub_error (GRUB_ERR_BAD_FS, "resident bitmap out of range");
+ 		  goto done;
+ 		}
+ 
+-              grub_memcpy (bmp, cur_pos + u16at (cur_pos, 0x14),
++              grub_memcpy (bmp, cur_pos + res_attr_data_off (cur_pos),
+                            bitmap_len);
+ 	    }
+           else
+@@ -1222,12 +1240,12 @@ grub_ntfs_label (grub_device_t device, char **label)
+       goto fail;
+     }
+ 
+-  if ((pa) && (pa[8] == 0) && (u32at (pa, 0x10)))
++  if ((pa) && (pa[8] == 0) && (res_attr_data_len (pa)))
+     {
+       int len;
+ 
+-      len = u32at (pa, 0x10) / 2;
+-      pa += u16at (pa, 0x14);
++      len = res_attr_data_len (pa) / 2;
++      pa += res_attr_data_off (pa);
+       if (mft->buf + (mft->data->mft_size << GRUB_NTFS_BLK_SHR) - pa >= 2 * len)
+         *label = get_utf8 (pa, len);
+       else

grub.macros

@@ -419,7 +419,7 @@ rm -f %{1}.conf							\
 %define efi_mkimage()						\
 mkdir -p memdisk/fonts						\
 cp %{4}/unicode.pf2 memdisk/fonts				\
-mksquashfs memdisk memdisk.squashfs -comp xz			\
+mksquashfs memdisk memdisk.squashfs -comp lzo			\
 %{4}./grub-mkimage -O %{1} -o %{2}.orig				\\\
 	-d grub-core						\\\
 	--sbat %{4}./sbat.csv					\\\
@@ -448,14 +448,14 @@ mksquashfs memdisk memdisk.squashfs -comp xz			\
 %define ieee1275_mkimage()					\
 mkdir -p memdisk/fonts						\
 cp %{5}/unicode.pf2 memdisk/fonts				\
-mksquashfs memdisk memdisk.squashfs -comp xz			\
+mksquashfs memdisk memdisk.squashfs -comp lzo			\
 ./grub-mkimage -O %{1} -o %{2} -p '/grub2' -d grub-core ${GRUB_MODULES} \
 %{nil}
 %else
 %define ieee1275_mkimage()					\
 mkdir -p memdisk/fonts						\
 cp %{5}/unicode.pf2 memdisk/fonts				\
-mksquashfs memdisk memdisk.squashfs -comp xz			\
+mksquashfs memdisk memdisk.squashfs -comp lzo			\
 APPENDED_SIG_SIZE=0						\
 if [ -x /usr/bin/rpm-sign ]; then				\
 	touch empty.unsigned					\

grub.patches

@@ -342,6 +342,19 @@ Patch0341: 0341-fs-Remove-trailing-whitespaces.patch
 Patch0342: 0342-fs-xfs-Fix-memory-leaks-in-XFS-module.patch
 Patch0343: 0343-fs-xfs-Fix-issues-found-while-fuzzing-the-XFS-filesy.patch
 Patch0344: 0344-fs-xfs-Incorrect-short-form-directory-data-boundary-.patch
-Patch0345: 0345-fs-xfs-Fix-XFS-directory-extent-parsing.patch
-Patch0346: 0346-fs-xfs-Add-large-extent-counters-incompat-feature-su.patch
-Patch0347: 0347-chainloader-remove-device-path-debug-message.patch
+Patch0345: 0345-fs-xfs-Add-large-extent-counters-incompat-feature-su.patch
+Patch0346: 0346-chainloader-remove-device-path-debug-message.patch
+Patch0347: 0347-normal-Remove-grub_env_set-prefix-in-grub_try_normal.patch
+Patch0348: 0348-add-flag-to-only-search-root-dev.patch
+Patch0349: 0349-Ignore-warnings-for-incompatible-types.patch
+Patch0350: 0350-fs-xfs-Fix-XFS-directory-extent-parsing.patch
+Patch0351: 0351-grub-set-bootflag-Conservative-partial-fix-for-CVE-2.patch
+Patch0352: 0352-grub-set-bootflag-More-complete-fix-for-CVE-2024-104.patch
+Patch0353: 0353-grub-set-bootflag-Exit-calmly-when-not-running-as-ro.patch
+Patch0354: 0354-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
+Patch0355: 0355-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
+Patch0356: 0356-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
+Patch0357: 0357-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
+Patch0358: 0358-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
+Patch0359: 0359-fs-ntfs-Make-code-more-readable.patch
+Patch0335: 0001-RISC-V-Handle-R_RISCV_CALL_PLT-reloc.patch

grub2.spec

@@ -17,7 +17,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.06
-Release:	111%{?dist}
+Release:	120.0.riscv64%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPL-3.0-or-later
 URL:		http://www.gnu.org/software/grub/
@@ -135,7 +135,6 @@ This subpackage provides tools for support of EFI platforms.
 Summary:	Support tools for GRUB.
 Requires:	gettext-runtime
 Requires:	grub2-common = %{epoch}:%{version}-%{release}
-Obsoletes:	grub2-tools < %{evr}
 
 %description tools-minimal
 %{desc}
@@ -369,7 +368,7 @@ BOOT_UUID=$(grub2-probe --target=fs_uuid ${GRUB_HOME})
 GRUB_DIR=$(grub2-mkrelpath ${GRUB_HOME})
 
 cat << EOF > ${EFI_HOME}/grub.cfg.stb
-search --no-floppy --fs-uuid --set=dev ${BOOT_UUID}
+search --no-floppy --root-dev-only --fs-uuid --set=dev ${BOOT_UUID}
 set prefix=(\$dev)${GRUB_DIR}
 export \$prefix
 configfile \$prefix/grub.cfg
@@ -555,6 +554,55 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
+* Thu Mar 21 2024 David Abdurachmanov <davidlt@rivosinc.com> - 2.06-120.0.riscv64
+- Backport riscv64 R_RISCV_CALL_PLT reloc patch
+
+* Fri Mar 8 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-120
+- GRUB2 NTFS driver vulnerabilities
+- (CVE-2023-4692)
+- (CVE-2023-4693)
+- Resolves: #2236613
+- Resolves: #2241978
+- Resolves: #2241976
+- Resolves: #2238343
+
+* Wed Feb 7 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-119
+- grub-set-bootflag: Fix for CVE-2024-1048
+- (CVE-2024-1048)
+- Resolves: #2256678
+
+* Tue Jan 23 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-118
+- xfs: include the 'directory extent parsing patch', otherwise
+XFS-formatted partitions do not boot. This change effectively
+reverts 2.06-115
+- Resolves: #2259266
+
+* Wed Jan 17 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-117
+- Compiler flags: ignore incompatible types for now as it prevents
+CI builds
+
+* Wed Jan 17 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-116
+- grub-core/commands: add flag to only search root dev
+- Resolves: #2223437
+- Resolves: #2224951
+- Resolves: #2258096
+- Resolves: CVE-2023-4001
+
+* Wed Jan 17 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.06-115
+- xfs: some bios systems can't boot with one of the xfs upstream patches
+- Resolves: #2254370
+
+* Sat Jan 13 2024 Hector Martin <marcan@fedoraproject.org> - 2.06-114
+- Switch memdisk compression to lzop
+
+* Thu Jan 11 2024 Daan De Meyer <daan.j.demeyer@gmail.com> - 2.06-113
+-  Don't obsolete the tools package with minimal
+
+* Tue Dec 19 2023 Nicolas Frayer <nfrayer@redhat.com> - 2.06-112
+- normal: fix prefix when loading modules
+- Resolves: #2209435
+- Resolves: #2173015
+
 * Tue Dec 12 2023 leo sandoval <lsandova@redhat.com> - 2.06-111
 - chainloader: remove device path debug message