nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0236-loader-i386-efi-linux-Avoid-a-use-after-free-in-the-.patch

1c6ba0
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
1c6ba0
From: Chris Coulson <chris.coulson@canonical.com>
1c6ba0
Date: Mon, 2 May 2022 14:39:31 +0200
1c6ba0
Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi
1c6ba0
 loader
1c6ba0
1c6ba0
In some error paths in grub_cmd_linux, the pointer to lh may be
1c6ba0
dereferenced after the buffer it points to has been freed. There aren't
1c6ba0
any security implications from this because nothing else uses the
1c6ba0
allocator after the buffer is freed and before the pointer is
1c6ba0
dereferenced, but fix it anyway.
1c6ba0
1c6ba0
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
1c6ba0
(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
1c6ba0
(cherry picked from commit 4744b62e20d07674017213ac54d7442d679f9d1a)
1c6ba0
---
1c6ba0
 grub-core/loader/i386/efi/linux.c | 5 ++---
1c6ba0
 1 file changed, 2 insertions(+), 3 deletions(-)
1c6ba0
1c6ba0
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
1c6ba0
index 3cf0f9b330..08c9fe6b0e 100644
1c6ba0
--- a/grub-core/loader/i386/efi/linux.c
1c6ba0
+++ b/grub-core/loader/i386/efi/linux.c
1c6ba0
@@ -478,9 +478,6 @@ fail:
1c6ba0
   if (file)
1c6ba0
     grub_file_close (file);
1c6ba0
 
1c6ba0
-  if (kernel)
1c6ba0
-    grub_free (kernel);
1c6ba0
-
1c6ba0
   if (grub_errno != GRUB_ERR_NONE)
1c6ba0
     {
1c6ba0
       grub_dl_unref (my_mod);
1c6ba0
@@ -496,6 +493,8 @@ fail:
1c6ba0
       kernel_free (params, sizeof(*params));
1c6ba0
     }
1c6ba0
 
1c6ba0
+  grub_free (kernel);
1c6ba0
+
1c6ba0
   return grub_errno;
1c6ba0
 }
1c6ba0