From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Darren Kenny <darren.kenny@oracle.com>

Date: Tue, 8 Dec 2020 10:00:51 +0000

Subject: [PATCH] disk/ldm: Fix memory leak on uninserted lv references

The problem here is that the memory allocated to the variable lv is not

yet inserted into the list that is being processed at the label fail2.

As we can already see at line 342, which correctly frees lv before going

to fail2, we should also be doing that at these earlier jumps to fail2.

Fixes: CID 73824

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

---

 grub-core/disk/ldm.c | 10 ++++++++--

 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c

index 54713f45a12..e82e9899f96 100644

--- a/grub-core/disk/ldm.c

+++ b/grub-core/disk/ldm.c

@@ -321,7 +321,10 @@ make_vg (grub_disk_t disk,

 	  lv->visible = 1;

 	  lv->segments = grub_zalloc (sizeof (*lv->segments));

 	  if (!lv->segments)

-	    goto fail2;

+	    {

+	      grub_free (lv);

+	      goto fail2;

+	    }

 	  lv->segments->start_extent = 0;

 	  lv->segments->type = GRUB_DISKFILTER_MIRROR;

 	  lv->segments->node_count = 0;

@@ -329,7 +332,10 @@ make_vg (grub_disk_t disk,

 	  lv->segments->nodes = grub_calloc (lv->segments->node_alloc,

 					     sizeof (*lv->segments->nodes));

 	  if (!lv->segments->nodes)

-	    goto fail2;

+	    {

+	      grub_free (lv);

+	      goto fail2;

+	    }

 	  ptr = vblk[i].dynamic;

 	  if (ptr + *ptr + 1 >= vblk[i].dynamic

 	      + sizeof (vblk[i].dynamic))