|
 |
1c6ba0 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
1c6ba0 |
From: Chris Coulson <chris.coulson@canonical.com>
|
|
|
1c6ba0 |
Date: Mon, 2 May 2022 14:39:31 +0200
|
|
|
1c6ba0 |
Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi
|
|
|
1c6ba0 |
loader
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
In some error paths in grub_cmd_linux, the pointer to lh may be
|
|
|
1c6ba0 |
dereferenced after the buffer it points to has been freed. There aren't
|
|
|
1c6ba0 |
any security implications from this because nothing else uses the
|
|
|
1c6ba0 |
allocator after the buffer is freed and before the pointer is
|
|
|
1c6ba0 |
dereferenced, but fix it anyway.
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
|
|
1c6ba0 |
(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
|
|
|
1c6ba0 |
(cherry picked from commit 4744b62e20d07674017213ac54d7442d679f9d1a)
|
|
|
1c6ba0 |
---
|
|
|
1c6ba0 |
grub-core/loader/i386/efi/linux.c | 5 ++---
|
|
|
1c6ba0 |
1 file changed, 2 insertions(+), 3 deletions(-)
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
|
|
|
1c6ba0 |
index 3cf0f9b330..08c9fe6b0e 100644
|
|
|
1c6ba0 |
--- a/grub-core/loader/i386/efi/linux.c
|
|
|
1c6ba0 |
+++ b/grub-core/loader/i386/efi/linux.c
|
|
|
1c6ba0 |
@@ -478,9 +478,6 @@ fail:
|
|
|
1c6ba0 |
if (file)
|
|
|
1c6ba0 |
grub_file_close (file);
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
- if (kernel)
|
|
|
1c6ba0 |
- grub_free (kernel);
|
|
|
1c6ba0 |
-
|
|
|
1c6ba0 |
if (grub_errno != GRUB_ERR_NONE)
|
|
|
1c6ba0 |
{
|
|
|
1c6ba0 |
grub_dl_unref (my_mod);
|
|
|
1c6ba0 |
@@ -496,6 +493,8 @@ fail:
|
|
|
1c6ba0 |
kernel_free (params, sizeof(*params));
|
|
|
1c6ba0 |
}
|
|
|
1c6ba0 |
|
|
|
1c6ba0 |
+ grub_free (kernel);
|
|
|
1c6ba0 |
+
|
|
|
1c6ba0 |
return grub_errno;
|
|
|
1c6ba0 |
}
|
|
|
1c6ba0 |
|