nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0505-loader-i386-efi-linux-Avoid-a-use-after-free-in-the-.patch

bf0270
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
bf0270
From: Chris Coulson <chris.coulson@canonical.com>
bf0270
Date: Mon, 2 May 2022 14:39:31 +0200
bf0270
Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi
bf0270
 loader
bf0270
bf0270
In some error paths in grub_cmd_linux, the pointer to lh may be
bf0270
dereferenced after the buffer it points to has been freed. There aren't
bf0270
any security implications from this because nothing else uses the
bf0270
allocator after the buffer is freed and before the pointer is
bf0270
dereferenced, but fix it anyway.
bf0270
bf0270
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
bf0270
(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
bf0270
(cherry picked from commit 4744b62e20d07674017213ac54d7442d679f9d1a)
bf0270
(cherry picked from commit 329633cb060957c3d2aca677ac733f07b213a63f)
bf0270
(cherry picked from commit 47b839b0a801ee4852447a85fb5de91dc7d2c856)
bf0270
---
bf0270
 grub-core/loader/i386/efi/linux.c | 5 ++---
bf0270
 1 file changed, 2 insertions(+), 3 deletions(-)
bf0270
bf0270
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
bf0270
index a043df891f..c9a2b47370 100644
bf0270
--- a/grub-core/loader/i386/efi/linux.c
bf0270
+++ b/grub-core/loader/i386/efi/linux.c
bf0270
@@ -482,9 +482,6 @@ fail:
bf0270
   if (file)
bf0270
     grub_file_close (file);
bf0270
 
bf0270
-  if (kernel)
bf0270
-    grub_free (kernel);
bf0270
-
bf0270
   if (grub_errno != GRUB_ERR_NONE)
bf0270
     {
bf0270
       grub_dl_unref (my_mod);
bf0270
@@ -500,6 +497,8 @@ fail:
bf0270
       kernel_free (params, sizeof(*params));
bf0270
     }
bf0270
 
bf0270
+  grub_free (kernel);
bf0270
+
bf0270
   return grub_errno;
bf0270
 }
bf0270