nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0454-loader-i386-efi-linux-Avoid-a-use-after-free-in-the-.patch

d18179
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
d18179
From: Chris Coulson <chris.coulson@canonical.com>
d18179
Date: Mon, 2 May 2022 14:39:31 +0200
d18179
Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi
d18179
 loader
d18179
d18179
In some error paths in grub_cmd_linux, the pointer to lh may be
d18179
dereferenced after the buffer it points to has been freed. There aren't
d18179
any security implications from this because nothing else uses the
d18179
allocator after the buffer is freed and before the pointer is
d18179
dereferenced, but fix it anyway.
d18179
d18179
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
d18179
(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
d18179
(cherry picked from commit 4744b62e20d07674017213ac54d7442d679f9d1a)
d18179
(cherry picked from commit 329633cb060957c3d2aca677ac733f07b213a63f)
d18179
(cherry picked from commit c74456404adfb1ed0043c1de0b475e0d84c5c480)
d18179
---
d18179
 grub-core/loader/i386/efi/linux.c | 5 ++---
d18179
 1 file changed, 2 insertions(+), 3 deletions(-)
d18179
d18179
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
d18179
index c146bc58e3..bafee49852 100644
d18179
--- a/grub-core/loader/i386/efi/linux.c
d18179
+++ b/grub-core/loader/i386/efi/linux.c
d18179
@@ -343,9 +343,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
d18179
   if (file)
d18179
     grub_file_close (file);
d18179
 
d18179
-  if (kernel)
d18179
-    grub_free (kernel);
d18179
-
d18179
   if (grub_errno != GRUB_ERR_NONE)
d18179
     {
d18179
       grub_dl_unref (my_mod);
d18179
@@ -365,6 +362,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
d18179
     grub_efi_free_pages ((grub_efi_physical_address_t)(grub_addr_t)params,
d18179
 			 BYTES_TO_PAGES(16384));
d18179
 
d18179
+  grub_free (kernel);
d18179
+
d18179
   return grub_errno;
d18179
 }
d18179