You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 lines
1.3 KiB
42 lines
1.3 KiB
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
|
From: Chris Coulson <chris.coulson@canonical.com> |
|
Date: Mon, 2 May 2022 14:39:31 +0200 |
|
Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi |
|
loader |
|
|
|
In some error paths in grub_cmd_linux, the pointer to lh may be |
|
dereferenced after the buffer it points to has been freed. There aren't |
|
any security implications from this because nothing else uses the |
|
allocator after the buffer is freed and before the pointer is |
|
dereferenced, but fix it anyway. |
|
|
|
Signed-off-by: Chris Coulson <chris.coulson@canonical.com> |
|
(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2) |
|
(cherry picked from commit 4744b62e20d07674017213ac54d7442d679f9d1a) |
|
--- |
|
grub-core/loader/i386/efi/linux.c | 5 ++--- |
|
1 file changed, 2 insertions(+), 3 deletions(-) |
|
|
|
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c |
|
index 3cf0f9b330..08c9fe6b0e 100644 |
|
--- a/grub-core/loader/i386/efi/linux.c |
|
+++ b/grub-core/loader/i386/efi/linux.c |
|
@@ -478,9 +478,6 @@ fail: |
|
if (file) |
|
grub_file_close (file); |
|
|
|
- if (kernel) |
|
- grub_free (kernel); |
|
- |
|
if (grub_errno != GRUB_ERR_NONE) |
|
{ |
|
grub_dl_unref (my_mod); |
|
@@ -496,6 +493,8 @@ fail: |
|
kernel_free (params, sizeof(*params)); |
|
} |
|
|
|
+ grub_free (kernel); |
|
+ |
|
return grub_errno; |
|
} |
|
|
|
|