From: "Yoann Congal" <yoann.congal@smile.fr>
To: <hprajapati@mvista.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [kirkstone][PATCH] grub: fix CVE-2025-54770
Date: Sat, 14 Mar 2026 17:24:20 +0100 [thread overview]
Message-ID: <DH2N7SRYPRQ3.39K4ACZDXQF9@smile.fr> (raw)
In-Reply-To: <20260305121517.15675-1-hprajapati@mvista.com>
Hello,
On Thu Mar 5, 2026 at 1:15 PM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Pick up patch from Debian security tracker.
> [0]: https://security-tracker.debian.org/tracker/CVE-2025-54770
>
> More Details : https://nvd.nist.gov/vuln/detail/CVE-2025-54770
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> .../grub/files/CVE-2025-54770-01.patch | 138 ++++++++++++++++++
> .../grub/files/CVE-2025-54770-02.patch | 39 +++++
Is the original code before the 2 patches vulnerable?
It looks to me like the CVE vulnerability is added in -01 to then, be
fixed in -02.
If that the case, you can use CVE_CHECK_IGNORE to specify that the
vulneratble code is not present and the CVE does not apply.
Regards,
> meta/recipes-bsp/grub/grub2.inc | 2 +
> 3 files changed, 179 insertions(+)
> create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
> create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
>
> diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch b/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
> new file mode 100644
> index 0000000000..ea749fc8f6
> --- /dev/null
> +++ b/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
> @@ -0,0 +1,138 @@
> +From 954c48b9c833d64b74ced1f27701af2ea5c6f55a Mon Sep 17 00:00:00 2001
> +From: Chad Kimes <chkimes@github.com>
> +Date: Mon, 21 Mar 2022 17:29:16 -0400
> +Subject: [PATCH] net/net: Add net_set_vlan command
> +
> +Previously there was no way to set the 802.1Q VLAN identifier, despite
> +support for vlantag in the net module. The only location vlantag was
> +being populated was from PXE boot and only for Open Firmware hardware.
> +This commit allows users to manually configure VLAN information for any
> +interface.
> +
> +Example usage:
> + grub> net_ls_addr
> + efinet1 00:11:22:33:44:55 192.0.2.100
> + grub> net_set_vlan efinet1 100
> + grub> net_ls_addr
> + efinet1 00:11:22:33:44:55 192.0.2.100 vlan100
> + grub> net_set_vlan efinet1 0
> + efinet1 00:11:22:33:44:55 192.0.2.100
> +
> +Signed-off-by: Chad Kimes <chkimes@github.com>
> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> +
> +CVE: CVE-2025-54770
> +Upstream-Status: Backport [https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=954c48b9c833d64b74ced1f27701af2ea5c6f55a]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + docs/grub.texi | 20 ++++++++++++++++++++
> + grub-core/net/net.c | 41 ++++++++++++++++++++++++++++++++++++++++-
> + 2 files changed, 60 insertions(+), 1 deletion(-)
> +
> +diff --git a/docs/grub.texi b/docs/grub.texi
> +index f8b4b3b..f7fc6d7 100644
> +--- a/docs/grub.texi
> ++++ b/docs/grub.texi
> +@@ -5493,6 +5493,7 @@ This command is only available on AArch64 systems.
> + * net_ls_dns:: List DNS servers
> + * net_ls_routes:: List routing entries
> + * net_nslookup:: Perform a DNS lookup
> ++* net_set_vlan:: Set vlan id on an interface
> + @end menu
> +
> +
> +@@ -5669,6 +5670,25 @@ is given, use default list of servers.
> + @end deffn
> +
> +
> ++@node net_set_vlan
> ++@subsection net_set_vlan
> ++
> ++@deffn Command net_set_vlan @var{interface} @var{vlanid}
> ++Set the 802.1Q VLAN identifier on @var{interface} to @var{vlanid}. For example,
> ++to set the VLAN identifier on interface @samp{efinet1} to @samp{100}:
> ++
> ++@example
> ++net_set_vlan efinet1 100
> ++@end example
> ++
> ++The VLAN identifier can be removed by setting it to @samp{0}:
> ++
> ++@example
> ++net_set_vlan efinet1 0
> ++@end example
> ++@end deffn
> ++
> ++
> + @node Internationalisation
> + @chapter Internationalisation
> +
> +diff --git a/grub-core/net/net.c b/grub-core/net/net.c
> +index ec7f01c..03ede6d 100644
> +--- a/grub-core/net/net.c
> ++++ b/grub-core/net/net.c
> +@@ -1162,6 +1162,42 @@ grub_cmd_addroute (struct grub_command *cmd __attribute__ ((unused)),
> + }
> + }
> +
> ++static grub_err_t
> ++grub_cmd_setvlan (struct grub_command *cmd __attribute__ ((unused)),
> ++ int argc, char **args)
> ++{
> ++ const char *vlan_string, *vlan_string_end;
> ++ unsigned long vlantag;
> ++ struct grub_net_network_level_interface *inter;
> ++
> ++ if (argc != 2)
> ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
> ++
> ++ vlan_string = args[1];
> ++ vlantag = grub_strtoul (vlan_string, &vlan_string_end, 10);
> ++
> ++ if (*vlan_string == '\0' || *vlan_string_end != '\0')
> ++ return grub_error (GRUB_ERR_BAD_NUMBER,
> ++ N_("non-numeric or invalid number `%s'"), vlan_string);
> ++
> ++ if (vlantag > 4094)
> ++ return grub_error (GRUB_ERR_OUT_OF_RANGE,
> ++ N_("vlan id `%s' not in the valid range of 0-4094"),
> ++ vlan_string);
> ++
> ++ FOR_NET_NETWORK_LEVEL_INTERFACES (inter)
> ++ {
> ++ if (grub_strcmp (inter->name, args[0]) != 0)
> ++ continue;
> ++
> ++ inter->vlantag = vlantag;
> ++ return GRUB_ERR_NONE;
> ++ }
> ++
> ++ return grub_error (GRUB_ERR_BAD_ARGUMENT,
> ++ N_("network interface not found"));
> ++}
> ++
> + static void
> + print_net_address (const grub_net_network_level_netaddress_t *target)
> + {
> +@@ -1876,7 +1912,7 @@ grub_net_search_config_file (char *config, grub_size_t config_buf_len)
> + static struct grub_preboot *fini_hnd;
> +
> + static grub_command_t cmd_addaddr, cmd_deladdr, cmd_addroute, cmd_delroute;
> +-static grub_command_t cmd_lsroutes, cmd_lscards;
> ++static grub_command_t cmd_setvlan, cmd_lsroutes, cmd_lscards;
> + static grub_command_t cmd_lsaddr, cmd_slaac;
> +
> + GRUB_MOD_INIT(net)
> +@@ -1914,6 +1950,9 @@ GRUB_MOD_INIT(net)
> + cmd_delroute = grub_register_command ("net_del_route", grub_cmd_delroute,
> + N_("SHORTNAME"),
> + N_("Delete a network route."));
> ++ cmd_setvlan = grub_register_command ("net_set_vlan", grub_cmd_setvlan,
> ++ N_("SHORTNAME VLANID"),
> ++ N_("Set an interface's vlan id."));
> + cmd_lsroutes = grub_register_command ("net_ls_routes", grub_cmd_listroutes,
> + "", N_("list network routes"));
> + cmd_lscards = grub_register_command ("net_ls_cards", grub_cmd_listcards,
> +--
> +2.50.1
> +
> diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch b/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
> new file mode 100644
> index 0000000000..bc56997726
> --- /dev/null
> +++ b/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
> @@ -0,0 +1,39 @@
> +From 10e58a14db20e17d1b6a39abe38df01fef98e29d Mon Sep 17 00:00:00 2001
> +From: Thomas Frauendorfer | Miray Software <tf@miray.de>
> +Date: Fri, 9 May 2025 14:20:47 +0200
> +Subject: [PATCH] net/net: Unregister net_set_vlan command on unload
> +
> +The commit 954c48b9c (net/net: Add net_set_vlan command) added command
> +net_set_vlan to the net module. Unfortunately the commit only added the
> +grub_register_command() call on module load but missed the
> +grub_unregister_command() on unload. Let's fix this.
> +
> +Fixes: CVE-2025-54770
> +Fixes: 954c48b9c (net/net: Add net_set_vlan command)
> +
> +Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
> +Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> +
> +CVE: CVE-2025-54770
> +Upstream-Status: Backport [https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=10e58a14db20e17d1b6a39abe38df01fef98e29d]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + grub-core/net/net.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/grub-core/net/net.c b/grub-core/net/net.c
> +index 03ede6d..e66d192 100644
> +--- a/grub-core/net/net.c
> ++++ b/grub-core/net/net.c
> +@@ -1980,6 +1980,7 @@ GRUB_MOD_FINI(net)
> + grub_unregister_command (cmd_deladdr);
> + grub_unregister_command (cmd_addroute);
> + grub_unregister_command (cmd_delroute);
> ++ grub_unregister_command (cmd_setvlan);
> + grub_unregister_command (cmd_lsroutes);
> + grub_unregister_command (cmd_lscards);
> + grub_unregister_command (cmd_lsaddr);
> +--
> +2.50.1
> +
> diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
> index 4744e26693..b21afe34f7 100644
> --- a/meta/recipes-bsp/grub/grub2.inc
> +++ b/meta/recipes-bsp/grub/grub2.inc
> @@ -63,6 +63,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
> file://CVE-2025-61661.patch \
> file://CVE-2025-61662.patch \
> file://CVE-2025-61663_61664.patch \
> + file://CVE-2025-54770-01.patch \
> + file://CVE-2025-54770-02.patch \
> "
>
> SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-03-14 16:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 12:15 [kirkstone][PATCH] grub: fix CVE-2025-54770 Hitendra Prajapati
2026-03-14 16:24 ` Yoann Congal [this message]
2026-03-17 6:24 ` Hitendra Prajapati
2026-03-17 10:37 ` [OE-core] " Yoann Congal
-- strict thread matches above, loose matches on Subject: below --
2026-01-28 5:09 Hitendra Prajapati
2026-02-23 13:20 ` [OE-core] " Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DH2N7SRYPRQ3.39K4ACZDXQF9@smile.fr \
--to=yoann.congal@smile.fr \
--cc=hprajapati@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox