42b3050a74
CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733 CVE-2021-3697 CVE-2021-3696 CVE-2021-3695 Resolves: #2070688 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
43 lines
1.3 KiB
Diff
43 lines
1.3 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Chris Coulson <chris.coulson@canonical.com>
|
|
Date: Mon, 2 May 2022 14:39:31 +0200
|
|
Subject: [PATCH] loader/i386/efi/linux: Avoid a use-after-free in the linuxefi
|
|
loader
|
|
|
|
In some error paths in grub_cmd_linux, the pointer to lh may be
|
|
dereferenced after the buffer it points to has been freed. There aren't
|
|
any security implications from this because nothing else uses the
|
|
allocator after the buffer is freed and before the pointer is
|
|
dereferenced, but fix it anyway.
|
|
|
|
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
|
|
(cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
|
|
(cherry picked from commit 4744b62e20d07674017213ac54d7442d679f9d1a)
|
|
---
|
|
grub-core/loader/i386/efi/linux.c | 5 ++---
|
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
|
|
index 3cf0f9b330..08c9fe6b0e 100644
|
|
--- a/grub-core/loader/i386/efi/linux.c
|
|
+++ b/grub-core/loader/i386/efi/linux.c
|
|
@@ -478,9 +478,6 @@ fail:
|
|
if (file)
|
|
grub_file_close (file);
|
|
|
|
- if (kernel)
|
|
- grub_free (kernel);
|
|
-
|
|
if (grub_errno != GRUB_ERR_NONE)
|
|
{
|
|
grub_dl_unref (my_mod);
|
|
@@ -496,6 +493,8 @@ fail:
|
|
kernel_free (params, sizeof(*params));
|
|
}
|
|
|
|
+ grub_free (kernel);
|
|
+
|
|
return grub_errno;
|
|
}
|
|
|