From caaf50b9affbd4c9e7313a4fdc03c4fa439a6a1f Mon Sep 17 00:00:00 2001
From: Srish Srinivasan <ssrish@linux.ibm.com>
Date: Mon, 8 Dec 2025 15:51:29 +0530
Subject: [PATCH] osdep/aros/hostdisk: Fix use-after-free bug during MsgPort
 deletion

... in function grub_util_fd_open() when creation of an I/O request or
opening a device fails. The "ret", the file descriptor, will be freed
before its associated MsgPort is deleted resulting in a use-after-free
condition.

Fix this issue by freeing "ret" after its associated MsgPort has been
deleted.

Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/osdep/aros/hostdisk.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/grub-core/osdep/aros/hostdisk.c b/grub-core/osdep/aros/hostdisk.c
index 08723bd45..c75474933 100644
--- a/grub-core/osdep/aros/hostdisk.c
+++ b/grub-core/osdep/aros/hostdisk.c
@@ -207,8 +207,8 @@ grub_util_fd_open (const char *dev, int flg)
 						 sizeof(struct IOExtTD));
   if (!ret->ioreq)
     {
-      free (ret);
       DeleteMsgPort (ret->mp);
+      free (ret);
       return NULL;
     }
 
@@ -225,9 +225,9 @@ grub_util_fd_open (const char *dev, int flg)
   if (OpenDevice ((unsigned char *) tmp, unit,
 		  (struct IORequest *) ret->ioreq, flags))
     {
-      free (tmp);
-      free (ret);
       DeleteMsgPort (ret->mp);
+      free (ret);
+      free (tmp);
       return NULL;
     }
   free (tmp);