nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0510-loader-i386-efi-linux-Avoid-a-use-after-free-in-the-.patch

b9d01e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b9d01e
From: Chris Coulson <chris.coulson@canonical.com>
b9d01e
Date: Mon, 2 May 2022 14:39:31 +0200
b9d01e
Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi
b9d01e
 loader
b9d01e
b9d01e
In some error paths in grub_cmd_linux, the pointer to lh may be
b9d01e
dereferenced after the buffer it points to has been freed. There aren't
b9d01e
any security implications from this because nothing else uses the
b9d01e
allocator after the buffer is freed and before the pointer is
b9d01e
dereferenced, but fix it anyway.
b9d01e
b9d01e
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
b9d01e
(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
b9d01e
(cherry picked from commit 4744b62e20d07674017213ac54d7442d679f9d1a)
b9d01e
(cherry picked from commit 329633cb060957c3d2aca677ac733f07b213a63f)
b9d01e
---
b9d01e
 grub-core/loader/i386/efi/linux.c | 5 ++---
b9d01e
 1 file changed, 2 insertions(+), 3 deletions(-)
b9d01e
b9d01e
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
b9d01e
index a043df891f..c9a2b47370 100644
b9d01e
--- a/grub-core/loader/i386/efi/linux.c
b9d01e
+++ b/grub-core/loader/i386/efi/linux.c
b9d01e
@@ -482,9 +482,6 @@ fail:
b9d01e
   if (file)
b9d01e
     grub_file_close (file);
b9d01e
 
b9d01e
-  if (kernel)
b9d01e
-    grub_free (kernel);
b9d01e
-
b9d01e
   if (grub_errno != GRUB_ERR_NONE)
b9d01e
     {
b9d01e
       grub_dl_unref (my_mod);
b9d01e
@@ -500,6 +497,8 @@ fail:
b9d01e
       kernel_free (params, sizeof(*params));
b9d01e
     }
b9d01e
 
b9d01e
+  grub_free (kernel);
b9d01e
+
b9d01e
   return grub_errno;
b9d01e
 }
b9d01e