canoeboot-mirror/cbmk
1
0
Fork 0
mirror of https://codeberg.org/canoeboot/cbmk.git synced 2025-02-23 14:59:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
cbmk/config/grub/xhci/patches/0024-xhci-configure-TT-for-non-root-hubs.patch
Leah Rowe b74a7f0cc6 Bump GRUB revision to add 73 security patches 
You can find information about these patches here:
https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html

GRUB has been on a crusade as of late, to proactively audit
and fix many security vulnerabilities. This lbmk change brings
in a comprehensive series of patches that fix bugs ranging from
possible buffer overflows, use-after frees, null derefs and so on.

These changes are critical, so a revision release *will* be issued,
for the Libreboot 20241206 release series.

This change imports the following 73 patches which
are present on the upstream GRUB repository (commit IDs
matched to upstream):

* 4dc616657 loader/i386/bsd: Use safe math to avoid underflow
* 490a6ab71 loader/i386/linux: Cast left shift to grub_uint32_t
* a8d6b0633 kern/misc: Add sanity check after grub_strtoul() call
* 8e6e87e79 kern/partition: Add sanity check after grub_strtoul() call
* 5b36a5210 normal/menu: Use safe math to avoid an integer overflow
* 9907d9c27 bus/usb/ehci: Define GRUB_EHCI_TOGGLE as grub_uint32_t
* f8795cde2 misc: Ensure consistent overflow error messages
* 66733f7c7 osdep/unix/getroot: Fix potential underflow
* d13b6e8eb script/execute: Fix potential underflow and NULL dereference
* e3c578a56 fs/sfs: Check if allocated memory is NULL
* 1c06ec900 net: Check if returned pointer for allocated memory is NULL
* dee2c14fd net: Prevent overflows when allocating memory for arrays
* 4beeff8a3 net: Use safe math macros to prevent overflows
* dd6a4c8d1 fs/zfs: Add missing NULL check after grub_strdup() call
* 13065f69d fs/zfs: Check if returned pointer for allocated memory is NULL
* 7f38e32c7 fs/zfs: Prevent overflows when allocating memory for arrays
* 88e491a0f fs/zfs: Use safe math macros to prevent overflows
* cde9f7f33 fs: Prevent overflows when assigning returned values from read_number()
* 84bc0a9a6 fs: Prevent overflows when allocating memory for arrays
* 6608163b0 fs: Use safe math macros to prevent overflows
* fbaddcca5 disk/ieee1275/ofdisk: Call grub_ieee1275_close() when grub_malloc() fails
* 33bd6b5ac disk: Check if returned pointer for allocated memory is NULL
* d8151f983 disk: Prevent overflows when allocating memory for arrays
* c407724da disk: Use safe math macros to prevent overflows
* c4bc55da2 fs: Disable many filesystems under lockdown
* 26db66050 fs/bfs: Disable under lockdown
* 5f31164ae commands/hexdump: Disable memory reading in lockdown mode
* 340e4d058 commands/memrw: Disable memory reading in lockdown mode
* 34824806a commands/minicmd: Block the dump command in lockdown mode
* c68b7d236 commands/test: Stack overflow due to unlimited recursion depth
* dad8f5029 commands/read: Fix an integer overflow when supplying more than 2^31 characters
* b970a5ed9 gettext: Integer overflow leads to heap OOB write
* 09bd6eb58 gettext: Integer overflow leads to heap OOB write or read
* 7580addfc gettext: Remove variables hooks on module unload
* 9c1619773 normal: Remove variables hooks on module unload
* 2123c5bca commands/pgp: Unregister the "check_signatures" hooks on module unload
* 0bf56bce4 commands/ls: Fix NULL dereference
* 05be856a8 commands/extcmd: Missing check for failed allocation
* 98ad84328 kern/dl: Check for the SHF_INFO_LINK flag in grub_dl_relocate_symbols()
* d72208423 kern/dl: Use correct segment in grub_dl_set_mem_attrs()
* 500e5fdd8 kern/dl: Fix for an integer overflow in grub_dl_ref()
* 2c34af908 video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG
* 0707accab net/tftp: Fix stack buffer overflow in tftp_open()
* 5eef88152 net: Fix OOB write in grub_net_search_config_file()
* aa8b4d7fa net: Remove variables hooks when interface is unregisted
* a1dd8e59d net: Unregister net_default_ip and net_default_mac variables hooks on unload
* d8a937cca script/execute: Limit the recursion depth
* 8a7103fdd kern/partition: Limit recursion in part_iterate()
* 18212f064 kern/disk: Limit recursion depth
* 67f70f70a disk/loopback: Reference tracking for the loopback
* 13febd78d disk/cryptodisk: Require authentication after TPM unlock for CLI access
* 16f196874 kern/file: Implement filesystem reference counting
* a79106872 kern/file: Ensure file->data is set
* d1d6b7ea5 fs/xfs: Ensuring failing to mount sets a grub_errno
* 6ccc77b59 fs/xfs: Fix out-of-bounds read
* 067b6d225 fs/ntfs: Implement attribute verification
* 048777bc2 fs/ntfs: Use a helper function to access attributes
* 237a71184 fs/ntfs: Track the end of the MFT attribute buffer
* aff263187 fs/ntfs: Fix out-of-bounds read
* 7e2f750f0 fs/ext2: Fix out-of-bounds read for inline extents
* edd995a26 fs/jfs: Inconsistent signed/unsigned types usage in return values
* bd999310f fs/jfs: Use full 40 bits offset and address for a data extent
* ab09fd053 fs/jfs: Fix OOB read caused by invalid dir slot index
* 66175696f fs/jfs: Fix OOB read in jfs_getent()
* 1443833a9 fs/iso9660: Fix invalid free
* 965db5970 fs/iso9660: Set a grub_errno if mount fails
* f7c070a2e fs/hfsplus: Set a grub_errno if mount fails
* 563436258 fs/f2fs: Set a grub_errno if mount fails
* 0087bc690 fs/tar: Integer overflow leads to heap OOB write
* 2c8ac08c9 fs/tar: Initialize name in grub_cpio_find_file()
* 417547c10 fs/hfs: Fix stack OOB write with grub_strcpy()
* c1a291b01 fs/ufs: Fix a heap OOB write
* ea703528a misc: Implement grub_strlcpy()

Signed-off-by: Leah Rowe <leah@libreboot.org>
2025-02-20 00:23:43 +00:00

98 lines
3.4 KiB
Diff
Raw Permalink Blame History

From 233f7dd274ef2ccac7b1fc0f5cfdeb7c01aef58b Mon Sep 17 00:00:00 2001
From: Sven Anderson <sven@anderson.de>
Date: Mon, 13 Jan 2025 20:26:32 +0100
Subject: [PATCH 24/26] xhci: configure TT for non-root-hubs
---
grub-core/bus/usb/usbhub.c | 6 +++++
grub-core/bus/usb/xhci.c | 45 +++++++++++++++++++++++++++++++++-----
include/grub/usb.h | 2 ++
3 files changed, 47 insertions(+), 6 deletions(-)
diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c
index e96505aa9..629b3ed53 100644
--- a/grub-core/bus/usb/usbhub.c
+++ b/grub-core/bus/usb/usbhub.c
@@ -818,3 +818,9 @@ grub_usb_iterate (grub_usb_iterate_hook_t hook, void *hook_data)
return 0;
}
+
+grub_usb_device_t
+grub_usb_get_dev (int addr)
+{
+ return grub_usb_devs[addr];
+}
diff --git a/grub-core/bus/usb/xhci.c b/grub-core/bus/usb/xhci.c
index d13a7c39d..8ad2a10f9 100644
--- a/grub-core/bus/usb/xhci.c
+++ b/grub-core/bus/usb/xhci.c
@@ -623,13 +623,46 @@ grub_xhci_alloc_inctx(struct grub_xhci *x, int maxepid,
break;
}
- /* Route is greater zero on devices that are connected to a non root hub */
- if (dev->route)
- {
- /* FIXME: Implement this code for non SuperSpeed hub devices */
+ /* Set routing string */
+ slot->ctx[0] |= dev->route;
+
+ /* Set root hub port number */
+ slot->ctx[1] |= (dev->root_port + 1) << 16;
+
+ if (dev->split_hubaddr && (dev->speed == GRUB_USB_SPEED_LOW ||
+ dev->speed == GRUB_USB_SPEED_FULL)) {
+
+ grub_usb_device_t hubdev = grub_usb_get_dev(dev->split_hubaddr);
+
+ if (!hubdev || hubdev->descdev.class != GRUB_USB_CLASS_HUB) {
+ grub_dprintf("xhci", "Invalid hub device at addr %d!\n", dev->split_hubaddr);
+ return NULL;
+ }
+
+ struct grub_xhci_priv *hub_priv = hubdev->xhci_priv;
+ if (!hub_priv) {
+ grub_dprintf("xhci", "Hub has no xhci_priv!\n");
+ return NULL;
+ }
+
+ if (hubdev->speed == GRUB_USB_SPEED_HIGH) {
+ /* Direct connection to high-speed hub - set up TT */
+ grub_dprintf("xhci", "Direct high-speed hub connection - configuring TT with "
+ "hub slot %d port %d\n", hub_priv->slotid, dev->split_hubport);
+ slot->ctx[2] |= hub_priv->slotid;
+ slot->ctx[2] |= dev->split_hubport << 8;
}
- slot->ctx[0] |= dev->route;
- slot->ctx[1] |= (dev->root_port+1) << 16;
+ else {
+ /* Hub is not high-speed, inherit TT settings from parent */
+ volatile struct grub_xhci_slotctx *hubslot;
+ grub_dprintf("xhci", "Non high-speed hub - inheriting TT settings from parent\n");
+ hubslot = grub_dma_phys2virt(x->devs[hub_priv->slotid].ptr_low, x->devs_dma);
+ slot->ctx[2] = hubslot->ctx[2];
+ }
+ }
+
+ grub_dprintf("xhci", "Slot context: ctx[0]=0x%08x ctx[1]=0x%08x ctx[2]=0x%08x\n",
+ slot->ctx[0], slot->ctx[1], slot->ctx[2]);
grub_arch_sync_dma_caches(in, size);
diff --git a/include/grub/usb.h b/include/grub/usb.h
index eb71fa1c7..df97a60cc 100644
--- a/include/grub/usb.h
+++ b/include/grub/usb.h
@@ -62,6 +62,8 @@ typedef int (*grub_usb_controller_iterate_hook_t) (grub_usb_controller_t dev,
/* Call HOOK with each device, until HOOK returns non-zero. */
int grub_usb_iterate (grub_usb_iterate_hook_t hook, void *hook_data);
+grub_usb_device_t grub_usb_get_dev (int addr);
+
grub_usb_err_t grub_usb_device_initialize (grub_usb_device_t dev);
grub_usb_err_t grub_usb_get_descriptor (grub_usb_device_t dev,
--
2.39.5
Reference in a new issue View git blame Copy permalink