poky/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch

From 26db6605036bd9e5b16d9068a8cc75be63b8b630 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Sat, 23 Mar 2024 15:59:43 +1100
Subject: [PATCH] fs/bfs: Disable under lockdown

The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
This will also disable the AFS.

Fixes: CVE-2024-45778
Fixes: CVE-2024-45779

Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

CVE: CVE-2024-45778
CVE: CVE-2024-45779
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=26db6605036bd9e5b16d9068a8cc75be63b8b630]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 grub-core/fs/bfs.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
index 47dbe20..8d704e2 100644
--- a/grub-core/fs/bfs.c
+++ b/grub-core/fs/bfs.c
@@ -30,6 +30,7 @@
 #include <grub/types.h>
 #include <grub/i18n.h>
 #include <grub/fshelp.h>
+#include <grub/lockdown.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -1104,7 +1105,10 @@ GRUB_MOD_INIT (bfs)
 {
   COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
 		       sizeof (struct grub_bfs_extent));
-  grub_fs_register (&grub_bfs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_bfs_fs);
+    }
 }
 
 #ifdef MODE_AFS
@@ -1113,5 +1117,6 @@ GRUB_MOD_FINI (afs)
 GRUB_MOD_FINI (bfs)
 #endif
 {
-  grub_fs_unregister (&grub_bfs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_bfs_fs);
 }
-- 
2.25.1