|
|
b9d01e |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b9d01e |
From: Chris Coulson <chris.coulson@canonical.com>
|
|
|
b9d01e |
Date: Mon, 2 May 2022 14:39:31 +0200
|
|
|
b9d01e |
Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi
|
|
|
b9d01e |
loader
|
|
|
b9d01e |
|
|
|
b9d01e |
In some error paths in grub_cmd_linux, the pointer to lh may be
|
|
|
b9d01e |
dereferenced after the buffer it points to has been freed. There aren't
|
|
|
b9d01e |
any security implications from this because nothing else uses the
|
|
|
b9d01e |
allocator after the buffer is freed and before the pointer is
|
|
|
b9d01e |
dereferenced, but fix it anyway.
|
|
|
b9d01e |
|
|
|
b9d01e |
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
|
|
b9d01e |
(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
|
|
|
b9d01e |
(cherry picked from commit 4744b62e20d07674017213ac54d7442d679f9d1a)
|
|
|
b9d01e |
(cherry picked from commit 329633cb060957c3d2aca677ac733f07b213a63f)
|
|
|
b9d01e |
---
|
|
|
b9d01e |
grub-core/loader/i386/efi/linux.c | 5 ++---
|
|
|
b9d01e |
1 file changed, 2 insertions(+), 3 deletions(-)
|
|
|
b9d01e |
|
|
|
b9d01e |
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
|
|
|
b9d01e |
index a043df891f..c9a2b47370 100644
|
|
|
b9d01e |
--- a/grub-core/loader/i386/efi/linux.c
|
|
|
b9d01e |
+++ b/grub-core/loader/i386/efi/linux.c
|
|
|
b9d01e |
@@ -482,9 +482,6 @@ fail:
|
|
|
b9d01e |
if (file)
|
|
|
b9d01e |
grub_file_close (file);
|
|
|
b9d01e |
|
|
|
b9d01e |
- if (kernel)
|
|
|
b9d01e |
- grub_free (kernel);
|
|
|
b9d01e |
-
|
|
|
b9d01e |
if (grub_errno != GRUB_ERR_NONE)
|
|
|
b9d01e |
{
|
|
|
b9d01e |
grub_dl_unref (my_mod);
|
|
|
b9d01e |
@@ -500,6 +497,8 @@ fail:
|
|
|
b9d01e |
kernel_free (params, sizeof(*params));
|
|
|
b9d01e |
}
|
|
|
b9d01e |
|
|
|
b9d01e |
+ grub_free (kernel);
|
|
|
b9d01e |
+
|
|
|
b9d01e |
return grub_errno;
|
|
|
b9d01e |
}
|
|
|
b9d01e |
|