[PATCH] grub: fix CVE-2025-54771

[PATCH] grub: fix CVE-2025-54771

[amaury.couderc]

From: Amaury Couderc <amaury.couderc@est.tech>

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
---
 .../grub/files/CVE-2025-54771.patch           | 65 +++++++++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54771.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54771.patch b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch
new file mode 100644
index 0000000000..02beca45ad
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch
@@ -0,0 +1,65 @@
+From d1553f532f6796578dc10809e3abc751c4e2d90f Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Wed, 7 Jan 2026 11:04:38 +0100
+Subject: [PATCH] kern/file: Call grub_dl_unref() after fs->fs_close()
+
+With commit 16f196874 (kern/file: Implement filesystem reference
+counting) files hold a reference to their file systems.
+
+When closing a file in grub_file_close() we should not expect
+file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
+So, grub_dl_unref() should be called after file->fs->fs_close().
+
+Fixes: CVE-2025-54771
+Fixes: 16f196874 (kern/file: Implement filesystem reference counting)
+
+CVE-2025-54771
+
+Upstream-Status: Backport
+[https://www.openwall.com/lists/oss-security/2025/11/18/]
+
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ grub-core/kern/file.c | 3 +++
+ include/grub/fs.h     | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
+index 750177248..81600527d 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -197,6 +197,9 @@ grub_file_close (grub_file_t file)
+   if (file->fs->fs_close)
+     (file->fs->fs_close) (file);
+ 
++  if (file->fs->mod)
++    grub_dl_unref (file->fs->mod);
++
+   if (file->device)
+     grub_device_close (file->device);
+   grub_free (file->name);
+diff --git a/include/grub/fs.h b/include/grub/fs.h
+index 026bc3bb8..d37f38e91 100644
+--- a/include/grub/fs.h
++++ b/include/grub/fs.h
+@@ -23,6 +23,7 @@
+ #include <grub/device.h>
+ #include <grub/symbol.h>
+ #include <grub/types.h>
++#include <grub/dl.h>
+ 
+ #include <grub/list.h>
+ /* For embedding types.  */
+@@ -54,6 +55,9 @@ struct grub_fs
+   struct grub_fs *next;
+   struct grub_fs **prev;
+ 
++  /* My module */
++  grub_dl_t mod;
++
+   /* My name.  */
+   const char *name;
+ 
+-- 
+2.43.0
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 3160708113..876536e42b 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -42,6 +42,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://CVE-2025-61661.patch \
            file://CVE-2025-61662.patch \
            file://CVE-2025-61663_61664.patch \
+           file://CVE-2025-54771.patch \
 "
 
 SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
-- 
2.52.0

Re: [OE-core] [PATCH][scarthgap] grub: fix CVE-2025-54771

[Mathieu Dubois-Briand]

On Thu Jan 8, 2026 at 10:43 AM CET, amaury.couderc wrote:
> From: Amaury Couderc <amaury.couderc@est.tech>
>
> Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
> ---

Hi Amaury,

I believe this patch is not targeting the master branch but scarthgap.
Is that right?

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

RE: [OE-core] [PATCH] grub: fix CVE-2025-54771

[Song, Jiaying (CN)]

Hi,

Based on the upstream analysis and the fix commit:
https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commitdiff;h=c4fb4cbc941981894a00ba8e75d634a41967a27f;hp=cc9d621dd06bfa12eac511b37b4ceda5bd2f8246

This issue was introduced by commit 16f196874
("kern/file: Implement filesystem reference counting"), as clearly stated
in the Fixes tag of the upstream patch.

According to the upstream history, commit 16f196874 is only present starting
from grub-2.14-rc1. The currently used grub-2.12 version does not include
this change.

Therefore, grub-2.12 is not affected by CVE-2025-54771, and the proposed
patch is not applicable to this version.

Best regards,
Jiaying
-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of amaury.couderc via lists.openembedded.org
Sent: Thursday, January 8, 2026 5:43 PM
To: openembedded-core@lists.openembedded.org
Cc: Amaury Couderc <amaury.couderc@est.tech>
Subject: [OE-core] [PATCH] grub: fix CVE-2025-54771

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.

From: Amaury Couderc <amaury.couderc@est.tech>

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
---
 .../grub/files/CVE-2025-54771.patch           | 65 +++++++++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54771.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54771.patch b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch
new file mode 100644
index 0000000000..02beca45ad
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch
@@ -0,0 +1,65 @@
+From d1553f532f6796578dc10809e3abc751c4e2d90f Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Wed, 7 Jan 2026 11:04:38 +0100
+Subject: [PATCH] kern/file: Call grub_dl_unref() after fs->fs_close()
+
+With commit 16f196874 (kern/file: Implement filesystem reference
+counting) files hold a reference to their file systems.
+
+When closing a file in grub_file_close() we should not expect
+file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
+So, grub_dl_unref() should be called after file->fs->fs_close().
+
+Fixes: CVE-2025-54771
+Fixes: 16f196874 (kern/file: Implement filesystem reference counting)
+
+CVE-2025-54771
+
+Upstream-Status: Backport
+[https://www.openwall.com/lists/oss-security/2025/11/18/]
+
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ grub-core/kern/file.c | 3 +++
+ include/grub/fs.h     | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c index 
+750177248..81600527d 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -197,6 +197,9 @@ grub_file_close (grub_file_t file)
+   if (file->fs->fs_close)
+     (file->fs->fs_close) (file);
+
++  if (file->fs->mod)
++    grub_dl_unref (file->fs->mod);
++
+   if (file->device)
+     grub_device_close (file->device);
+   grub_free (file->name);
+diff --git a/include/grub/fs.h b/include/grub/fs.h index 
+026bc3bb8..d37f38e91 100644
+--- a/include/grub/fs.h
++++ b/include/grub/fs.h
+@@ -23,6 +23,7 @@
+ #include <grub/device.h>
+ #include <grub/symbol.h>
+ #include <grub/types.h>
++#include <grub/dl.h>
+
+ #include <grub/list.h>
+ /* For embedding types.  */
+@@ -54,6 +55,9 @@ struct grub_fs
+   struct grub_fs *next;
+   struct grub_fs **prev;
+
++  /* My module */
++  grub_dl_t mod;
++
+   /* My name.  */
+   const char *name;
+
+--
+2.43.0
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3160708113..876536e42b 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -42,6 +42,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://CVE-2025-61661.patch \
            file://CVE-2025-61662.patch \
            file://CVE-2025-61663_61664.patch \
+           file://CVE-2025-54771.patch \
 "

 SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
--
2.52.0

Re: [OE-core] [PATCH] grub: fix CVE-2025-54771

[Amaury Couderc]

[-- Attachment #1: Type: text/plain, Size: 4975 bytes --]

Hi,

According to the metadata of CVE-2025-54771, the known affected versions included grub-2.12 (link<https://github.com/CVEProject/cvelistV5/blob/main/cves/2025/54xxx/CVE-2025-54771.json>) , but we did not check for the actual first implementation of the feature that generated the CVE. Thanks for your input.

Kind Regards,

Amaury
________________________________
From: Song, Jiaying (CN) <Jiaying.Song.CN@windriver.com>
Sent: Thursday, January 15, 2026 9:24 AM
To: Amaury Couderc <amaury.couderc@est.tech>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: RE: [OE-core] [PATCH] grub: fix CVE-2025-54771

Hi,

Based on the upstream analysis and the fix commit:
https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commitdiff;h=c4fb4cbc941981894a00ba8e75d634a41967a27f;hp=cc9d621dd06bfa12eac511b37b4ceda5bd2f8246

This issue was introduced by commit 16f196874
("kern/file: Implement filesystem reference counting"), as clearly stated
in the Fixes tag of the upstream patch.

According to the upstream history, commit 16f196874 is only present starting
from grub-2.14-rc1. The currently used grub-2.12 version does not include
this change.

Therefore, grub-2.12 is not affected by CVE-2025-54771, and the proposed
patch is not applicable to this version.

Best regards,
Jiaying
-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of amaury.couderc via lists.openembedded.org
Sent: Thursday, January 8, 2026 5:43 PM
To: openembedded-core@lists.openembedded.org
Cc: Amaury Couderc <amaury.couderc@est.tech>
Subject: [OE-core] [PATCH] grub: fix CVE-2025-54771

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.

From: Amaury Couderc <amaury.couderc@est.tech>

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
---
 .../grub/files/CVE-2025-54771.patch           | 65 +++++++++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54771.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54771.patch b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch
new file mode 100644
index 0000000000..02beca45ad
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch
@@ -0,0 +1,65 @@
+From d1553f532f6796578dc10809e3abc751c4e2d90f Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Wed, 7 Jan 2026 11:04:38 +0100
+Subject: [PATCH] kern/file: Call grub_dl_unref() after fs->fs_close()
+
+With commit 16f196874 (kern/file: Implement filesystem reference
+counting) files hold a reference to their file systems.
+
+When closing a file in grub_file_close() we should not expect
+file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
+So, grub_dl_unref() should be called after file->fs->fs_close().
+
+Fixes: CVE-2025-54771
+Fixes: 16f196874 (kern/file: Implement filesystem reference counting)
+
+CVE-2025-54771
+
+Upstream-Status: Backport
+[https://www.openwall.com/lists/oss-security/2025/11/18/]
+
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ grub-core/kern/file.c | 3 +++
+ include/grub/fs.h     | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c index
+750177248..81600527d 100644
+--- a/grub-core/kern/file.c
++++ b/grub-core/kern/file.c
+@@ -197,6 +197,9 @@ grub_file_close (grub_file_t file)
+   if (file->fs->fs_close)
+     (file->fs->fs_close) (file);
+
++  if (file->fs->mod)
++    grub_dl_unref (file->fs->mod);
++
+   if (file->device)
+     grub_device_close (file->device);
+   grub_free (file->name);
+diff --git a/include/grub/fs.h b/include/grub/fs.h index
+026bc3bb8..d37f38e91 100644
+--- a/include/grub/fs.h
++++ b/include/grub/fs.h
+@@ -23,6 +23,7 @@
+ #include <grub/device.h>
+ #include <grub/symbol.h>
+ #include <grub/types.h>
++#include <grub/dl.h>
+
+ #include <grub/list.h>
+ /* For embedding types.  */
+@@ -54,6 +55,9 @@ struct grub_fs
+   struct grub_fs *next;
+   struct grub_fs **prev;
+
++  /* My module */
++  grub_dl_t mod;
++
+   /* My name.  */
+   const char *name;
+
+--
+2.43.0
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3160708113..876536e42b 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -42,6 +42,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://CVE-2025-61661.patch \
            file://CVE-2025-61662.patch \
            file://CVE-2025-61663_61664.patch \
+           file://CVE-2025-54771.patch \
 "

 SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
--
2.52.0


[-- Attachment #2: Type: text/html, Size: 8643 bytes --]