* [PATCH] grub: fix CVE-2025-54771 @ 2026-01-08 9:43 amaury.couderc 2026-01-08 15:12 ` [OE-core] [PATCH][scarthgap] " Mathieu Dubois-Briand 2026-01-15 8:24 ` [OE-core] [PATCH] " Song, Jiaying (CN) 0 siblings, 2 replies; 4+ messages in thread From: amaury.couderc @ 2026-01-08 9:43 UTC (permalink / raw) To: openembedded-core; +Cc: Amaury Couderc From: Amaury Couderc <amaury.couderc@est.tech> Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> --- .../grub/files/CVE-2025-54771.patch | 65 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54771.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54771.patch b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch new file mode 100644 index 0000000000..02beca45ad --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch @@ -0,0 +1,65 @@ +From d1553f532f6796578dc10809e3abc751c4e2d90f Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software <tf@miray.de> +Date: Wed, 7 Jan 2026 11:04:38 +0100 +Subject: [PATCH] kern/file: Call grub_dl_unref() after fs->fs_close() + +With commit 16f196874 (kern/file: Implement filesystem reference +counting) files hold a reference to their file systems. + +When closing a file in grub_file_close() we should not expect +file->fs to stay valid after calling grub_dl_unref() on file->fs->mod. +So, grub_dl_unref() should be called after file->fs->fs_close(). + +Fixes: CVE-2025-54771 +Fixes: 16f196874 (kern/file: Implement filesystem reference counting) + +CVE-2025-54771 + +Upstream-Status: Backport +[https://www.openwall.com/lists/oss-security/2025/11/18/] + +Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> +--- + grub-core/kern/file.c | 3 +++ + include/grub/fs.h | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c +index 750177248..81600527d 100644 +--- a/grub-core/kern/file.c ++++ b/grub-core/kern/file.c +@@ -197,6 +197,9 @@ grub_file_close (grub_file_t file) + if (file->fs->fs_close) + (file->fs->fs_close) (file); + ++ if (file->fs->mod) ++ grub_dl_unref (file->fs->mod); ++ + if (file->device) + grub_device_close (file->device); + grub_free (file->name); +diff --git a/include/grub/fs.h b/include/grub/fs.h +index 026bc3bb8..d37f38e91 100644 +--- a/include/grub/fs.h ++++ b/include/grub/fs.h +@@ -23,6 +23,7 @@ + #include <grub/device.h> + #include <grub/symbol.h> + #include <grub/types.h> ++#include <grub/dl.h> + + #include <grub/list.h> + /* For embedding types. */ +@@ -54,6 +55,9 @@ struct grub_fs + struct grub_fs *next; + struct grub_fs **prev; + ++ /* My module */ ++ grub_dl_t mod; ++ + /* My name. */ + const char *name; + +-- +2.43.0 + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3160708113..876536e42b 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -42,6 +42,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-61661.patch \ file://CVE-2025-61662.patch \ file://CVE-2025-61663_61664.patch \ + file://CVE-2025-54771.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" -- 2.52.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH][scarthgap] grub: fix CVE-2025-54771 2026-01-08 9:43 [PATCH] grub: fix CVE-2025-54771 amaury.couderc @ 2026-01-08 15:12 ` Mathieu Dubois-Briand 2026-01-15 8:24 ` [OE-core] [PATCH] " Song, Jiaying (CN) 1 sibling, 0 replies; 4+ messages in thread From: Mathieu Dubois-Briand @ 2026-01-08 15:12 UTC (permalink / raw) To: amaury.couderc, openembedded-core; +Cc: Steve Sakoman, Yoann Congal On Thu Jan 8, 2026 at 10:43 AM CET, amaury.couderc wrote: > From: Amaury Couderc <amaury.couderc@est.tech> > > Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> > --- Hi Amaury, I believe this patch is not targeting the master branch but scarthgap. Is that right? Thanks, Mathieu -- Mathieu Dubois-Briand, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [OE-core] [PATCH] grub: fix CVE-2025-54771 2026-01-08 9:43 [PATCH] grub: fix CVE-2025-54771 amaury.couderc 2026-01-08 15:12 ` [OE-core] [PATCH][scarthgap] " Mathieu Dubois-Briand @ 2026-01-15 8:24 ` Song, Jiaying (CN) 2026-01-15 15:20 ` Amaury Couderc 1 sibling, 1 reply; 4+ messages in thread From: Song, Jiaying (CN) @ 2026-01-15 8:24 UTC (permalink / raw) To: amaury.couderc@est.tech, openembedded-core@lists.openembedded.org Hi, Based on the upstream analysis and the fix commit: https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commitdiff;h=c4fb4cbc941981894a00ba8e75d634a41967a27f;hp=cc9d621dd06bfa12eac511b37b4ceda5bd2f8246 This issue was introduced by commit 16f196874 ("kern/file: Implement filesystem reference counting"), as clearly stated in the Fixes tag of the upstream patch. According to the upstream history, commit 16f196874 is only present starting from grub-2.14-rc1. The currently used grub-2.12 version does not include this change. Therefore, grub-2.12 is not affected by CVE-2025-54771, and the proposed patch is not applicable to this version. Best regards, Jiaying -----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of amaury.couderc via lists.openembedded.org Sent: Thursday, January 8, 2026 5:43 PM To: openembedded-core@lists.openembedded.org Cc: Amaury Couderc <amaury.couderc@est.tech> Subject: [OE-core] [PATCH] grub: fix CVE-2025-54771 CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. From: Amaury Couderc <amaury.couderc@est.tech> Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> --- .../grub/files/CVE-2025-54771.patch | 65 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54771.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54771.patch b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch new file mode 100644 index 0000000000..02beca45ad --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch @@ -0,0 +1,65 @@ +From d1553f532f6796578dc10809e3abc751c4e2d90f Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software <tf@miray.de> +Date: Wed, 7 Jan 2026 11:04:38 +0100 +Subject: [PATCH] kern/file: Call grub_dl_unref() after fs->fs_close() + +With commit 16f196874 (kern/file: Implement filesystem reference +counting) files hold a reference to their file systems. + +When closing a file in grub_file_close() we should not expect +file->fs to stay valid after calling grub_dl_unref() on file->fs->mod. +So, grub_dl_unref() should be called after file->fs->fs_close(). + +Fixes: CVE-2025-54771 +Fixes: 16f196874 (kern/file: Implement filesystem reference counting) + +CVE-2025-54771 + +Upstream-Status: Backport +[https://www.openwall.com/lists/oss-security/2025/11/18/] + +Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> +--- + grub-core/kern/file.c | 3 +++ + include/grub/fs.h | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c index +750177248..81600527d 100644 +--- a/grub-core/kern/file.c ++++ b/grub-core/kern/file.c +@@ -197,6 +197,9 @@ grub_file_close (grub_file_t file) + if (file->fs->fs_close) + (file->fs->fs_close) (file); + ++ if (file->fs->mod) ++ grub_dl_unref (file->fs->mod); ++ + if (file->device) + grub_device_close (file->device); + grub_free (file->name); +diff --git a/include/grub/fs.h b/include/grub/fs.h index +026bc3bb8..d37f38e91 100644 +--- a/include/grub/fs.h ++++ b/include/grub/fs.h +@@ -23,6 +23,7 @@ + #include <grub/device.h> + #include <grub/symbol.h> + #include <grub/types.h> ++#include <grub/dl.h> + + #include <grub/list.h> + /* For embedding types. */ +@@ -54,6 +55,9 @@ struct grub_fs + struct grub_fs *next; + struct grub_fs **prev; + ++ /* My module */ ++ grub_dl_t mod; ++ + /* My name. */ + const char *name; + +-- +2.43.0 + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3160708113..876536e42b 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -42,6 +42,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-61661.patch \ file://CVE-2025-61662.patch \ file://CVE-2025-61663_61664.patch \ + file://CVE-2025-54771.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" -- 2.52.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] grub: fix CVE-2025-54771 2026-01-15 8:24 ` [OE-core] [PATCH] " Song, Jiaying (CN) @ 2026-01-15 15:20 ` Amaury Couderc 0 siblings, 0 replies; 4+ messages in thread From: Amaury Couderc @ 2026-01-15 15:20 UTC (permalink / raw) To: Song, Jiaying (CN), openembedded-core@lists.openembedded.org [-- Attachment #1: Type: text/plain, Size: 4975 bytes --] Hi, According to the metadata of CVE-2025-54771, the known affected versions included grub-2.12 (link<https://github.com/CVEProject/cvelistV5/blob/main/cves/2025/54xxx/CVE-2025-54771.json>) , but we did not check for the actual first implementation of the feature that generated the CVE. Thanks for your input. Kind Regards, Amaury ________________________________ From: Song, Jiaying (CN) <Jiaying.Song.CN@windriver.com> Sent: Thursday, January 15, 2026 9:24 AM To: Amaury Couderc <amaury.couderc@est.tech>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> Subject: RE: [OE-core] [PATCH] grub: fix CVE-2025-54771 Hi, Based on the upstream analysis and the fix commit: https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commitdiff;h=c4fb4cbc941981894a00ba8e75d634a41967a27f;hp=cc9d621dd06bfa12eac511b37b4ceda5bd2f8246 This issue was introduced by commit 16f196874 ("kern/file: Implement filesystem reference counting"), as clearly stated in the Fixes tag of the upstream patch. According to the upstream history, commit 16f196874 is only present starting from grub-2.14-rc1. The currently used grub-2.12 version does not include this change. Therefore, grub-2.12 is not affected by CVE-2025-54771, and the proposed patch is not applicable to this version. Best regards, Jiaying -----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of amaury.couderc via lists.openembedded.org Sent: Thursday, January 8, 2026 5:43 PM To: openembedded-core@lists.openembedded.org Cc: Amaury Couderc <amaury.couderc@est.tech> Subject: [OE-core] [PATCH] grub: fix CVE-2025-54771 CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. From: Amaury Couderc <amaury.couderc@est.tech> Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> --- .../grub/files/CVE-2025-54771.patch | 65 +++++++++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54771.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54771.patch b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch new file mode 100644 index 0000000000..02beca45ad --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2025-54771.patch @@ -0,0 +1,65 @@ +From d1553f532f6796578dc10809e3abc751c4e2d90f Mon Sep 17 00:00:00 2001 +From: Thomas Frauendorfer | Miray Software <tf@miray.de> +Date: Wed, 7 Jan 2026 11:04:38 +0100 +Subject: [PATCH] kern/file: Call grub_dl_unref() after fs->fs_close() + +With commit 16f196874 (kern/file: Implement filesystem reference +counting) files hold a reference to their file systems. + +When closing a file in grub_file_close() we should not expect +file->fs to stay valid after calling grub_dl_unref() on file->fs->mod. +So, grub_dl_unref() should be called after file->fs->fs_close(). + +Fixes: CVE-2025-54771 +Fixes: 16f196874 (kern/file: Implement filesystem reference counting) + +CVE-2025-54771 + +Upstream-Status: Backport +[https://www.openwall.com/lists/oss-security/2025/11/18/] + +Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> +--- + grub-core/kern/file.c | 3 +++ + include/grub/fs.h | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c index +750177248..81600527d 100644 +--- a/grub-core/kern/file.c ++++ b/grub-core/kern/file.c +@@ -197,6 +197,9 @@ grub_file_close (grub_file_t file) + if (file->fs->fs_close) + (file->fs->fs_close) (file); + ++ if (file->fs->mod) ++ grub_dl_unref (file->fs->mod); ++ + if (file->device) + grub_device_close (file->device); + grub_free (file->name); +diff --git a/include/grub/fs.h b/include/grub/fs.h index +026bc3bb8..d37f38e91 100644 +--- a/include/grub/fs.h ++++ b/include/grub/fs.h +@@ -23,6 +23,7 @@ + #include <grub/device.h> + #include <grub/symbol.h> + #include <grub/types.h> ++#include <grub/dl.h> + + #include <grub/list.h> + /* For embedding types. */ +@@ -54,6 +55,9 @@ struct grub_fs + struct grub_fs *next; + struct grub_fs **prev; + ++ /* My module */ ++ grub_dl_t mod; ++ + /* My name. */ + const char *name; + +-- +2.43.0 + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 3160708113..876536e42b 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -42,6 +42,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2025-61661.patch \ file://CVE-2025-61662.patch \ file://CVE-2025-61663_61664.patch \ + file://CVE-2025-54771.patch \ " SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91" -- 2.52.0 [-- Attachment #2: Type: text/html, Size: 8643 bytes --] ^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-01-15 15:21 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-01-08 9:43 [PATCH] grub: fix CVE-2025-54771 amaury.couderc 2026-01-08 15:12 ` [OE-core] [PATCH][scarthgap] " Mathieu Dubois-Briand 2026-01-15 8:24 ` [OE-core] [PATCH] " Song, Jiaying (CN) 2026-01-15 15:20 ` Amaury Couderc
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox