nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0216-loader-i386-efi-linux-Avoid-a-use-after-free-in-the-.patch

e28c09
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
e28c09
From: Chris Coulson <chris.coulson@canonical.com>
e28c09
Date: Mon, 2 May 2022 14:39:31 +0200
e28c09
Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi
e28c09
 loader
e28c09
e28c09
In some error paths in grub_cmd_linux, the pointer to lh may be
e28c09
dereferenced after the buffer it points to has been freed. There aren't
e28c09
any security implications from this because nothing else uses the
e28c09
allocator after the buffer is freed and before the pointer is
e28c09
dereferenced, but fix it anyway.
e28c09
e28c09
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
e28c09
(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
e28c09
---
e28c09
 grub-core/loader/i386/efi/linux.c | 5 ++---
e28c09
 1 file changed, 2 insertions(+), 3 deletions(-)
e28c09
e28c09
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
b35c50
index 941df6400b..27bc2aa161 100644
e28c09
--- a/grub-core/loader/i386/efi/linux.c
e28c09
+++ b/grub-core/loader/i386/efi/linux.c
b35c50
@@ -465,9 +465,6 @@ fail:
e28c09
   if (file)
e28c09
     grub_file_close (file);
e28c09
 
e28c09
-  if (kernel)
e28c09
-    grub_free (kernel);
e28c09
-
e28c09
   if (grub_errno != GRUB_ERR_NONE)
e28c09
     {
e28c09
       grub_dl_unref (my_mod);
b35c50
@@ -483,6 +480,8 @@ fail:
e28c09
       kernel_free (params, sizeof(*params));
e28c09
     }
e28c09
 
e28c09
+  grub_free (kernel);
e28c09
+
e28c09
   return grub_errno;
e28c09
 }
e28c09