Re: [OE-core] [kirkstone][PATCH] grub: fix CVE-2025-54770

Re: [OE-core] [kirkstone][PATCH] grub: fix CVE-2025-54770

[Yoann Congal]

On Wed Jan 28, 2026 at 6:09 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Upstream-Status: Backport from https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=954c48b9c833d64b74ced1f27701af2ea5c6f55a && https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=10e58a14db20e17d1b6a39abe38df01fef98e29d

Thanks for the patch. But the commit message needs improvement: Please
add a justification as to why you think this particular patch fixes this
CVE: Cited in the NVD report? upstream? another source?

Also, this "Upstream-Status:" line is only useful in patches, you can
remove it from the commit message.

> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
>  .../grub/files/CVE-2025-54770-01.patch        | 138 ++++++++++++++++++
>  .../grub/files/CVE-2025-54770-02.patch        |  39 +++++
>  meta/recipes-bsp/grub/grub2.inc               |   2 +
>  3 files changed, 179 insertions(+)
>  create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
>  create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
>
> diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch b/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
> new file mode 100644
> index 0000000000..ea749fc8f6
> --- /dev/null
> +++ b/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
> @@ -0,0 +1,138 @@
> +From 954c48b9c833d64b74ced1f27701af2ea5c6f55a Mon Sep 17 00:00:00 2001
> +From: Chad Kimes <chkimes@github.com>
> +Date: Mon, 21 Mar 2022 17:29:16 -0400
> +Subject: [PATCH] net/net: Add net_set_vlan command
> +
> +Previously there was no way to set the 802.1Q VLAN identifier, despite
> +support for vlantag in the net module. The only location vlantag was
> +being populated was from PXE boot and only for Open Firmware hardware.
> +This commit allows users to manually configure VLAN information for any
> +interface.
> +
> +Example usage:
> +  grub> net_ls_addr
> +  efinet1 00:11:22:33:44:55 192.0.2.100
> +  grub> net_set_vlan efinet1 100
> +  grub> net_ls_addr
> +  efinet1 00:11:22:33:44:55 192.0.2.100 vlan100
> +  grub> net_set_vlan efinet1 0
> +  efinet1 00:11:22:33:44:55 192.0.2.100
> +
> +Signed-off-by: Chad Kimes <chkimes@github.com>
> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> +
> +CVE: CVE-2025-54770
> +Upstream-Status: Backport [https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=954c48b9c833d64b74ced1f27701af2ea5c6f55a]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + docs/grub.texi      | 20 ++++++++++++++++++++
> + grub-core/net/net.c | 41 ++++++++++++++++++++++++++++++++++++++++-
> + 2 files changed, 60 insertions(+), 1 deletion(-)
> +
> +diff --git a/docs/grub.texi b/docs/grub.texi
> +index f8b4b3b..f7fc6d7 100644
> +--- a/docs/grub.texi
> ++++ b/docs/grub.texi
> +@@ -5493,6 +5493,7 @@ This command is only available on AArch64 systems.
> + * net_ls_dns::                  List DNS servers
> + * net_ls_routes::               List routing entries
> + * net_nslookup::                Perform a DNS lookup
> ++* net_set_vlan::                Set vlan id on an interface
> + @end menu
> + 
> + 
> +@@ -5669,6 +5670,25 @@ is given, use default list of servers.
> + @end deffn
> + 
> + 
> ++@node net_set_vlan
> ++@subsection net_set_vlan
> ++
> ++@deffn Command net_set_vlan @var{interface} @var{vlanid}
> ++Set the 802.1Q VLAN identifier on @var{interface} to @var{vlanid}. For example,
> ++to set the VLAN identifier on interface @samp{efinet1} to @samp{100}:
> ++
> ++@example
> ++net_set_vlan efinet1 100
> ++@end example
> ++
> ++The VLAN identifier can be removed by setting it to @samp{0}:
> ++
> ++@example
> ++net_set_vlan efinet1 0
> ++@end example
> ++@end deffn
> ++
> ++
> + @node Internationalisation
> + @chapter Internationalisation
> + 
> +diff --git a/grub-core/net/net.c b/grub-core/net/net.c
> +index ec7f01c..03ede6d 100644
> +--- a/grub-core/net/net.c
> ++++ b/grub-core/net/net.c
> +@@ -1162,6 +1162,42 @@ grub_cmd_addroute (struct grub_command *cmd __attribute__ ((unused)),
> +     }
> + }
> + 
> ++static grub_err_t
> ++grub_cmd_setvlan (struct grub_command *cmd __attribute__ ((unused)),
> ++		  int argc, char **args)
> ++{
> ++  const char *vlan_string, *vlan_string_end;
> ++  unsigned long vlantag;
> ++  struct grub_net_network_level_interface *inter;
> ++
> ++  if (argc != 2)
> ++    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
> ++
> ++  vlan_string = args[1];
> ++  vlantag = grub_strtoul (vlan_string, &vlan_string_end, 10);
> ++
> ++  if (*vlan_string == '\0' || *vlan_string_end != '\0')
> ++    return grub_error (GRUB_ERR_BAD_NUMBER,
> ++		       N_("non-numeric or invalid number `%s'"), vlan_string);
> ++
> ++  if (vlantag > 4094)
> ++    return grub_error (GRUB_ERR_OUT_OF_RANGE,
> ++		       N_("vlan id `%s' not in the valid range of 0-4094"),
> ++		       vlan_string);
> ++
> ++  FOR_NET_NETWORK_LEVEL_INTERFACES (inter)
> ++    {
> ++      if (grub_strcmp (inter->name, args[0]) != 0)
> ++	continue;
> ++
> ++      inter->vlantag = vlantag;
> ++      return GRUB_ERR_NONE;
> ++    }
> ++
> ++  return grub_error (GRUB_ERR_BAD_ARGUMENT,
> ++                     N_("network interface not found"));
> ++}
> ++
> + static void
> + print_net_address (const grub_net_network_level_netaddress_t *target)
> + {
> +@@ -1876,7 +1912,7 @@ grub_net_search_config_file (char *config, grub_size_t config_buf_len)
> + static struct grub_preboot *fini_hnd;
> + 
> + static grub_command_t cmd_addaddr, cmd_deladdr, cmd_addroute, cmd_delroute;
> +-static grub_command_t cmd_lsroutes, cmd_lscards;
> ++static grub_command_t cmd_setvlan, cmd_lsroutes, cmd_lscards;
> + static grub_command_t cmd_lsaddr, cmd_slaac;
> + 
> + GRUB_MOD_INIT(net)
> +@@ -1914,6 +1950,9 @@ GRUB_MOD_INIT(net)
> +   cmd_delroute = grub_register_command ("net_del_route", grub_cmd_delroute,
> + 					N_("SHORTNAME"),
> + 					N_("Delete a network route."));
> ++  cmd_setvlan = grub_register_command ("net_set_vlan", grub_cmd_setvlan,
> ++				       N_("SHORTNAME VLANID"),
> ++				       N_("Set an interface's vlan id."));
> +   cmd_lsroutes = grub_register_command ("net_ls_routes", grub_cmd_listroutes,
> + 					"", N_("list network routes"));
> +   cmd_lscards = grub_register_command ("net_ls_cards", grub_cmd_listcards,
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch b/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
> new file mode 100644
> index 0000000000..bc56997726
> --- /dev/null
> +++ b/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
> @@ -0,0 +1,39 @@
> +From 10e58a14db20e17d1b6a39abe38df01fef98e29d Mon Sep 17 00:00:00 2001
> +From: Thomas Frauendorfer | Miray Software <tf@miray.de>
> +Date: Fri, 9 May 2025 14:20:47 +0200
> +Subject: [PATCH] net/net: Unregister net_set_vlan command on unload
> +
> +The commit 954c48b9c (net/net: Add net_set_vlan command) added command
> +net_set_vlan to the net module. Unfortunately the commit only added the
> +grub_register_command() call on module load but missed the
> +grub_unregister_command() on unload. Let's fix this.
> +
> +Fixes: CVE-2025-54770
> +Fixes: 954c48b9c (net/net: Add net_set_vlan command)
> +
> +Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
> +Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> +
> +CVE: CVE-2025-54770
> +Upstream-Status: Backport [https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=10e58a14db20e17d1b6a39abe38df01fef98e29d]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + grub-core/net/net.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/grub-core/net/net.c b/grub-core/net/net.c
> +index 03ede6d..e66d192 100644
> +--- a/grub-core/net/net.c
> ++++ b/grub-core/net/net.c
> +@@ -1980,6 +1980,7 @@ GRUB_MOD_FINI(net)
> +   grub_unregister_command (cmd_deladdr);
> +   grub_unregister_command (cmd_addroute);
> +   grub_unregister_command (cmd_delroute);
> ++  grub_unregister_command (cmd_setvlan);
> +   grub_unregister_command (cmd_lsroutes);
> +   grub_unregister_command (cmd_lscards);
> +   grub_unregister_command (cmd_lsaddr);
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
> index 4744e26693..b21afe34f7 100644
> --- a/meta/recipes-bsp/grub/grub2.inc
> +++ b/meta/recipes-bsp/grub/grub2.inc
> @@ -63,6 +63,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
>             file://CVE-2025-61661.patch \
>             file://CVE-2025-61662.patch \
>             file://CVE-2025-61663_61664.patch \
> +           file://CVE-2025-54770-01.patch \
> +           file://CVE-2025-54770-02.patch \
>  "
>  
>  SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"


-- 
Yoann Congal
Smile ECS

[kirkstone][PATCH] grub: fix CVE-2025-54770

[Hitendra Prajapati]

Pick up patch from Debian security tracker.
[0]: https://security-tracker.debian.org/tracker/CVE-2025-54770

More Details : https://nvd.nist.gov/vuln/detail/CVE-2025-54770

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../grub/files/CVE-2025-54770-01.patch        | 138 ++++++++++++++++++
 .../grub/files/CVE-2025-54770-02.patch        |  39 +++++
 meta/recipes-bsp/grub/grub2.inc               |   2 +
 3 files changed, 179 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch b/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
new file mode 100644
index 0000000000..ea749fc8f6
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
@@ -0,0 +1,138 @@
+From 954c48b9c833d64b74ced1f27701af2ea5c6f55a Mon Sep 17 00:00:00 2001
+From: Chad Kimes <chkimes@github.com>
+Date: Mon, 21 Mar 2022 17:29:16 -0400
+Subject: [PATCH] net/net: Add net_set_vlan command
+
+Previously there was no way to set the 802.1Q VLAN identifier, despite
+support for vlantag in the net module. The only location vlantag was
+being populated was from PXE boot and only for Open Firmware hardware.
+This commit allows users to manually configure VLAN information for any
+interface.
+
+Example usage:
+  grub> net_ls_addr
+  efinet1 00:11:22:33:44:55 192.0.2.100
+  grub> net_set_vlan efinet1 100
+  grub> net_ls_addr
+  efinet1 00:11:22:33:44:55 192.0.2.100 vlan100
+  grub> net_set_vlan efinet1 0
+  efinet1 00:11:22:33:44:55 192.0.2.100
+
+Signed-off-by: Chad Kimes <chkimes@github.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-54770
+Upstream-Status: Backport [https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=954c48b9c833d64b74ced1f27701af2ea5c6f55a]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ docs/grub.texi      | 20 ++++++++++++++++++++
+ grub-core/net/net.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 60 insertions(+), 1 deletion(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index f8b4b3b..f7fc6d7 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -5493,6 +5493,7 @@ This command is only available on AArch64 systems.
+ * net_ls_dns::                  List DNS servers
+ * net_ls_routes::               List routing entries
+ * net_nslookup::                Perform a DNS lookup
++* net_set_vlan::                Set vlan id on an interface
+ @end menu
+ 
+ 
+@@ -5669,6 +5670,25 @@ is given, use default list of servers.
+ @end deffn
+ 
+ 
++@node net_set_vlan
++@subsection net_set_vlan
++
++@deffn Command net_set_vlan @var{interface} @var{vlanid}
++Set the 802.1Q VLAN identifier on @var{interface} to @var{vlanid}. For example,
++to set the VLAN identifier on interface @samp{efinet1} to @samp{100}:
++
++@example
++net_set_vlan efinet1 100
++@end example
++
++The VLAN identifier can be removed by setting it to @samp{0}:
++
++@example
++net_set_vlan efinet1 0
++@end example
++@end deffn
++
++
+ @node Internationalisation
+ @chapter Internationalisation
+ 
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index ec7f01c..03ede6d 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -1162,6 +1162,42 @@ grub_cmd_addroute (struct grub_command *cmd __attribute__ ((unused)),
+     }
+ }
+ 
++static grub_err_t
++grub_cmd_setvlan (struct grub_command *cmd __attribute__ ((unused)),
++		  int argc, char **args)
++{
++  const char *vlan_string, *vlan_string_end;
++  unsigned long vlantag;
++  struct grub_net_network_level_interface *inter;
++
++  if (argc != 2)
++    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
++
++  vlan_string = args[1];
++  vlantag = grub_strtoul (vlan_string, &vlan_string_end, 10);
++
++  if (*vlan_string == '\0' || *vlan_string_end != '\0')
++    return grub_error (GRUB_ERR_BAD_NUMBER,
++		       N_("non-numeric or invalid number `%s'"), vlan_string);
++
++  if (vlantag > 4094)
++    return grub_error (GRUB_ERR_OUT_OF_RANGE,
++		       N_("vlan id `%s' not in the valid range of 0-4094"),
++		       vlan_string);
++
++  FOR_NET_NETWORK_LEVEL_INTERFACES (inter)
++    {
++      if (grub_strcmp (inter->name, args[0]) != 0)
++	continue;
++
++      inter->vlantag = vlantag;
++      return GRUB_ERR_NONE;
++    }
++
++  return grub_error (GRUB_ERR_BAD_ARGUMENT,
++                     N_("network interface not found"));
++}
++
+ static void
+ print_net_address (const grub_net_network_level_netaddress_t *target)
+ {
+@@ -1876,7 +1912,7 @@ grub_net_search_config_file (char *config, grub_size_t config_buf_len)
+ static struct grub_preboot *fini_hnd;
+ 
+ static grub_command_t cmd_addaddr, cmd_deladdr, cmd_addroute, cmd_delroute;
+-static grub_command_t cmd_lsroutes, cmd_lscards;
++static grub_command_t cmd_setvlan, cmd_lsroutes, cmd_lscards;
+ static grub_command_t cmd_lsaddr, cmd_slaac;
+ 
+ GRUB_MOD_INIT(net)
+@@ -1914,6 +1950,9 @@ GRUB_MOD_INIT(net)
+   cmd_delroute = grub_register_command ("net_del_route", grub_cmd_delroute,
+ 					N_("SHORTNAME"),
+ 					N_("Delete a network route."));
++  cmd_setvlan = grub_register_command ("net_set_vlan", grub_cmd_setvlan,
++				       N_("SHORTNAME VLANID"),
++				       N_("Set an interface's vlan id."));
+   cmd_lsroutes = grub_register_command ("net_ls_routes", grub_cmd_listroutes,
+ 					"", N_("list network routes"));
+   cmd_lscards = grub_register_command ("net_ls_cards", grub_cmd_listcards,
+-- 
+2.50.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch b/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
new file mode 100644
index 0000000000..bc56997726
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
@@ -0,0 +1,39 @@
+From 10e58a14db20e17d1b6a39abe38df01fef98e29d Mon Sep 17 00:00:00 2001
+From: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Date: Fri, 9 May 2025 14:20:47 +0200
+Subject: [PATCH] net/net: Unregister net_set_vlan command on unload
+
+The commit 954c48b9c (net/net: Add net_set_vlan command) added command
+net_set_vlan to the net module. Unfortunately the commit only added the
+grub_register_command() call on module load but missed the
+grub_unregister_command() on unload. Let's fix this.
+
+Fixes: CVE-2025-54770
+Fixes: 954c48b9c (net/net: Add net_set_vlan command)
+
+Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-54770
+Upstream-Status: Backport [https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=10e58a14db20e17d1b6a39abe38df01fef98e29d]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/net/net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 03ede6d..e66d192 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -1980,6 +1980,7 @@ GRUB_MOD_FINI(net)
+   grub_unregister_command (cmd_deladdr);
+   grub_unregister_command (cmd_addroute);
+   grub_unregister_command (cmd_delroute);
++  grub_unregister_command (cmd_setvlan);
+   grub_unregister_command (cmd_lsroutes);
+   grub_unregister_command (cmd_lscards);
+   grub_unregister_command (cmd_lsaddr);
+-- 
+2.50.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 4744e26693..b21afe34f7 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -63,6 +63,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://CVE-2025-61661.patch \
            file://CVE-2025-61662.patch \
            file://CVE-2025-61663_61664.patch \
+           file://CVE-2025-54770-01.patch \
+           file://CVE-2025-54770-02.patch \
 "
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-- 
2.50.1

Re: [OE-core] [kirkstone][PATCH] grub: fix CVE-2025-54770

[Yoann Congal]

Hello,

On Thu Mar 5, 2026 at 1:15 PM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Pick up patch from Debian security tracker.
> [0]: https://security-tracker.debian.org/tracker/CVE-2025-54770
>
> More Details : https://nvd.nist.gov/vuln/detail/CVE-2025-54770
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---

>  .../grub/files/CVE-2025-54770-01.patch        | 138 ++++++++++++++++++
>  .../grub/files/CVE-2025-54770-02.patch        |  39 +++++

Is the original code before the 2 patches vulnerable?
It looks to me like the CVE vulnerability is added in -01 to then, be
fixed in -02.

If that the case, you can use CVE_CHECK_IGNORE to specify that the
vulneratble code is not present and the CVE does not apply.

Regards,

>  meta/recipes-bsp/grub/grub2.inc               |   2 +
>  3 files changed, 179 insertions(+)
>  create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
>  create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
>
> diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch b/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
> new file mode 100644
> index 0000000000..ea749fc8f6
> --- /dev/null
> +++ b/meta/recipes-bsp/grub/files/CVE-2025-54770-01.patch
> @@ -0,0 +1,138 @@
> +From 954c48b9c833d64b74ced1f27701af2ea5c6f55a Mon Sep 17 00:00:00 2001
> +From: Chad Kimes <chkimes@github.com>
> +Date: Mon, 21 Mar 2022 17:29:16 -0400
> +Subject: [PATCH] net/net: Add net_set_vlan command
> +
> +Previously there was no way to set the 802.1Q VLAN identifier, despite
> +support for vlantag in the net module. The only location vlantag was
> +being populated was from PXE boot and only for Open Firmware hardware.
> +This commit allows users to manually configure VLAN information for any
> +interface.
> +
> +Example usage:
> +  grub> net_ls_addr
> +  efinet1 00:11:22:33:44:55 192.0.2.100
> +  grub> net_set_vlan efinet1 100
> +  grub> net_ls_addr
> +  efinet1 00:11:22:33:44:55 192.0.2.100 vlan100
> +  grub> net_set_vlan efinet1 0
> +  efinet1 00:11:22:33:44:55 192.0.2.100
> +
> +Signed-off-by: Chad Kimes <chkimes@github.com>
> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> +
> +CVE: CVE-2025-54770
> +Upstream-Status: Backport [https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=954c48b9c833d64b74ced1f27701af2ea5c6f55a]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + docs/grub.texi      | 20 ++++++++++++++++++++
> + grub-core/net/net.c | 41 ++++++++++++++++++++++++++++++++++++++++-
> + 2 files changed, 60 insertions(+), 1 deletion(-)
> +
> +diff --git a/docs/grub.texi b/docs/grub.texi
> +index f8b4b3b..f7fc6d7 100644
> +--- a/docs/grub.texi
> ++++ b/docs/grub.texi
> +@@ -5493,6 +5493,7 @@ This command is only available on AArch64 systems.
> + * net_ls_dns::                  List DNS servers
> + * net_ls_routes::               List routing entries
> + * net_nslookup::                Perform a DNS lookup
> ++* net_set_vlan::                Set vlan id on an interface
> + @end menu
> + 
> + 
> +@@ -5669,6 +5670,25 @@ is given, use default list of servers.
> + @end deffn
> + 
> + 
> ++@node net_set_vlan
> ++@subsection net_set_vlan
> ++
> ++@deffn Command net_set_vlan @var{interface} @var{vlanid}
> ++Set the 802.1Q VLAN identifier on @var{interface} to @var{vlanid}. For example,
> ++to set the VLAN identifier on interface @samp{efinet1} to @samp{100}:
> ++
> ++@example
> ++net_set_vlan efinet1 100
> ++@end example
> ++
> ++The VLAN identifier can be removed by setting it to @samp{0}:
> ++
> ++@example
> ++net_set_vlan efinet1 0
> ++@end example
> ++@end deffn
> ++
> ++
> + @node Internationalisation
> + @chapter Internationalisation
> + 
> +diff --git a/grub-core/net/net.c b/grub-core/net/net.c
> +index ec7f01c..03ede6d 100644
> +--- a/grub-core/net/net.c
> ++++ b/grub-core/net/net.c
> +@@ -1162,6 +1162,42 @@ grub_cmd_addroute (struct grub_command *cmd __attribute__ ((unused)),
> +     }
> + }
> + 
> ++static grub_err_t
> ++grub_cmd_setvlan (struct grub_command *cmd __attribute__ ((unused)),
> ++		  int argc, char **args)
> ++{
> ++  const char *vlan_string, *vlan_string_end;
> ++  unsigned long vlantag;
> ++  struct grub_net_network_level_interface *inter;
> ++
> ++  if (argc != 2)
> ++    return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected"));
> ++
> ++  vlan_string = args[1];
> ++  vlantag = grub_strtoul (vlan_string, &vlan_string_end, 10);
> ++
> ++  if (*vlan_string == '\0' || *vlan_string_end != '\0')
> ++    return grub_error (GRUB_ERR_BAD_NUMBER,
> ++		       N_("non-numeric or invalid number `%s'"), vlan_string);
> ++
> ++  if (vlantag > 4094)
> ++    return grub_error (GRUB_ERR_OUT_OF_RANGE,
> ++		       N_("vlan id `%s' not in the valid range of 0-4094"),
> ++		       vlan_string);
> ++
> ++  FOR_NET_NETWORK_LEVEL_INTERFACES (inter)
> ++    {
> ++      if (grub_strcmp (inter->name, args[0]) != 0)
> ++	continue;
> ++
> ++      inter->vlantag = vlantag;
> ++      return GRUB_ERR_NONE;
> ++    }
> ++
> ++  return grub_error (GRUB_ERR_BAD_ARGUMENT,
> ++                     N_("network interface not found"));
> ++}
> ++
> + static void
> + print_net_address (const grub_net_network_level_netaddress_t *target)
> + {
> +@@ -1876,7 +1912,7 @@ grub_net_search_config_file (char *config, grub_size_t config_buf_len)
> + static struct grub_preboot *fini_hnd;
> + 
> + static grub_command_t cmd_addaddr, cmd_deladdr, cmd_addroute, cmd_delroute;
> +-static grub_command_t cmd_lsroutes, cmd_lscards;
> ++static grub_command_t cmd_setvlan, cmd_lsroutes, cmd_lscards;
> + static grub_command_t cmd_lsaddr, cmd_slaac;
> + 
> + GRUB_MOD_INIT(net)
> +@@ -1914,6 +1950,9 @@ GRUB_MOD_INIT(net)
> +   cmd_delroute = grub_register_command ("net_del_route", grub_cmd_delroute,
> + 					N_("SHORTNAME"),
> + 					N_("Delete a network route."));
> ++  cmd_setvlan = grub_register_command ("net_set_vlan", grub_cmd_setvlan,
> ++				       N_("SHORTNAME VLANID"),
> ++				       N_("Set an interface's vlan id."));
> +   cmd_lsroutes = grub_register_command ("net_ls_routes", grub_cmd_listroutes,
> + 					"", N_("list network routes"));
> +   cmd_lscards = grub_register_command ("net_ls_cards", grub_cmd_listcards,
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch b/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
> new file mode 100644
> index 0000000000..bc56997726
> --- /dev/null
> +++ b/meta/recipes-bsp/grub/files/CVE-2025-54770-02.patch
> @@ -0,0 +1,39 @@
> +From 10e58a14db20e17d1b6a39abe38df01fef98e29d Mon Sep 17 00:00:00 2001
> +From: Thomas Frauendorfer | Miray Software <tf@miray.de>
> +Date: Fri, 9 May 2025 14:20:47 +0200
> +Subject: [PATCH] net/net: Unregister net_set_vlan command on unload
> +
> +The commit 954c48b9c (net/net: Add net_set_vlan command) added command
> +net_set_vlan to the net module. Unfortunately the commit only added the
> +grub_register_command() call on module load but missed the
> +grub_unregister_command() on unload. Let's fix this.
> +
> +Fixes: CVE-2025-54770
> +Fixes: 954c48b9c (net/net: Add net_set_vlan command)
> +
> +Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
> +Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> +
> +CVE: CVE-2025-54770
> +Upstream-Status: Backport [https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=patch;h=10e58a14db20e17d1b6a39abe38df01fef98e29d]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + grub-core/net/net.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/grub-core/net/net.c b/grub-core/net/net.c
> +index 03ede6d..e66d192 100644
> +--- a/grub-core/net/net.c
> ++++ b/grub-core/net/net.c
> +@@ -1980,6 +1980,7 @@ GRUB_MOD_FINI(net)
> +   grub_unregister_command (cmd_deladdr);
> +   grub_unregister_command (cmd_addroute);
> +   grub_unregister_command (cmd_delroute);
> ++  grub_unregister_command (cmd_setvlan);
> +   grub_unregister_command (cmd_lsroutes);
> +   grub_unregister_command (cmd_lscards);
> +   grub_unregister_command (cmd_lsaddr);
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
> index 4744e26693..b21afe34f7 100644
> --- a/meta/recipes-bsp/grub/grub2.inc
> +++ b/meta/recipes-bsp/grub/grub2.inc
> @@ -63,6 +63,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
>             file://CVE-2025-61661.patch \
>             file://CVE-2025-61662.patch \
>             file://CVE-2025-61663_61664.patch \
> +           file://CVE-2025-54770-01.patch \
> +           file://CVE-2025-54770-02.patch \
>  "
>  
>  SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"


-- 
Yoann Congal
Smile ECS

Re: [kirkstone][PATCH] grub: fix CVE-2025-54770

[Hitendra Prajapati]

[-- Attachment #1: Type: text/plain, Size: 246 bytes --]

Hi ,
Yes before this patches , code is vulnerable. see [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-54770

I just back port the solution from commit from Debian link given in [1].

please check it.

Regards,
Hitendra

[-- Attachment #2: Type: text/html, Size: 495 bytes --]

Re: [OE-core] [kirkstone][PATCH] grub: fix CVE-2025-54770

[Yoann Congal]

On Tue Mar 17, 2026 at 7:24 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Hi ,
> Yes before this patches , code is vulnerable. see [1].
>
> [1] https://security-tracker.debian.org/tracker/CVE-2025-54770

What makes you say that from that URL? I don't see it.

> I just back port the solution from commit from Debian link given in [1].
>
> please check it.

The way I see it, the CVE states:
> This flaw is a Use-after-Free issue, caused because the net_set_vlan
> command is not properly unregistered when the network module is unloaded
> from memory.

But, the net_set_vlan command does not exist in our original code (at
least it looks like it because you add it in your
CVE-2025-54770-01.patch aptly titled "net/net: Add net_set_vlan
command")

I still believe our original code is not vulnerable to CVE-2025-54770
and that CVE should only be CVE_CHECK_IGNORE'd.

Did I miss something?

Regards,
-- 
Yoann Congal
Smile ECS