From 4854208f63b4fbb52458223a83152cf98f8c5702 Mon Sep 17 00:00:00 2001
From: jinkangkang <jinkkang@foxmail.com>
Date: Sun, 25 Jan 2026 00:56:07 +0800
Subject: [PATCH] commands/linux: verify kernel file size

---
 grub-core/loader/efi/linux.c      | 7 +++++++
 grub-core/loader/i386/efi/linux.c | 7 ++++++-
 grub-core/loader/i386/linux.c     | 8 ++++++++
 grub-core/loader/i386/pc/linux.c  | 6 ++++++
 4 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index 111edf0e1d..23f8020449 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -834,6 +834,13 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
     goto fail;
 
   filelen = grub_file_size (file);
+  if (filelen < (grub_off_t) sizeof (lh))
+    {
+      grub_error (GRUB_ERR_BAD_OS, N_("kernel %s size = %x is too small"),
+                  argv[0], (unsigned) filelen);
+      goto fail;
+    }
+
   kernel = grub_malloc(filelen);
   if (!kernel)
     {
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
index 6c310d9879..a578da8965 100644
--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
@@ -358,7 +358,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
     goto fail;
 
   filelen = grub_file_size (file);
-
+  if (filelen < (grub_ssize_t) sizeof (lh))
+    {
+      grub_error (GRUB_ERR_BAD_OS, N_("kernel %s size = %x is too small"),
+                  argv[0], (unsigned) filelen);
+      goto fail;
+    }
   kernel = grub_malloc(filelen);
   if (!kernel)
     {
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index 33a8521972..68957f1dd0 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -685,6 +685,14 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
     goto fail;
 
   len = grub_file_size (file);
+
+  if (len < (grub_ssize_t) sizeof (lh))
+    {
+      grub_error (GRUB_ERR_BAD_OS, N_("kernel %s size = %x is too small"),
+                  argv[0], (unsigned) len);
+      goto fail;
+    }
+
   kernel = grub_malloc (len);
   if (!kernel)
     {
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
index 54a76504a7..c9811afeab 100644
--- a/grub-core/loader/i386/pc/linux.c
+++ b/grub-core/loader/i386/pc/linux.c
@@ -147,6 +147,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
     goto fail;
 
   len = grub_file_size (file);
+  if (len < (grub_ssize_t) sizeof (lh))
+    {
+      grub_error (GRUB_ERR_BAD_OS, N_("kernel %s size = %x is too small"),
+                  argv[0], (unsigned) len);
+      goto fail;
+    }
   kernel = grub_malloc (len);
   if (!kernel)
     {