nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0510-loader-i386-efi-linux-Avoid-a-use-after-free-in-the-.patch

0ccc47
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
0ccc47
From: Chris Coulson <chris.coulson@canonical.com>
0ccc47
Date: Mon, 2 May 2022 14:39:31 +0200
0ccc47
Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi
0ccc47
 loader
0ccc47
0ccc47
In some error paths in grub_cmd_linux, the pointer to lh may be
0ccc47
dereferenced after the buffer it points to has been freed. There aren't
0ccc47
any security implications from this because nothing else uses the
0ccc47
allocator after the buffer is freed and before the pointer is
0ccc47
dereferenced, but fix it anyway.
0ccc47
0ccc47
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
0ccc47
(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
0ccc47
(cherry picked from commit 4744b62e20d07674017213ac54d7442d679f9d1a)
0ccc47
(cherry picked from commit 329633cb060957c3d2aca677ac733f07b213a63f)
0ccc47
---
0ccc47
 grub-core/loader/i386/efi/linux.c | 5 ++---
0ccc47
 1 file changed, 2 insertions(+), 3 deletions(-)
0ccc47
0ccc47
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
0ccc47
index a043df891f..c9a2b47370 100644
0ccc47
--- a/grub-core/loader/i386/efi/linux.c
0ccc47
+++ b/grub-core/loader/i386/efi/linux.c
0ccc47
@@ -482,9 +482,6 @@ fail:
0ccc47
   if (file)
0ccc47
     grub_file_close (file);
0ccc47
 
0ccc47
-  if (kernel)
0ccc47
-    grub_free (kernel);
0ccc47
-
0ccc47
   if (grub_errno != GRUB_ERR_NONE)
0ccc47
     {
0ccc47
       grub_dl_unref (my_mod);
0ccc47
@@ -500,6 +497,8 @@ fail:
0ccc47
       kernel_free (params, sizeof(*params));
0ccc47
     }
0ccc47
 
0ccc47
+  grub_free (kernel);
0ccc47
+
0ccc47
   return grub_errno;
0ccc47
 }
0ccc47