tablet/grub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

osdep/aros/hostdisk: Fix use-after-free bug during MsgPort deletion

Browse Source 
... in function grub_util_fd_open() when creation of an I/O request or
opening a device fails. The "ret", the file descriptor, will be freed
before its associated MsgPort is deleted resulting in a use-after-free
condition.

Fix this issue by freeing "ret" after its associated MsgPort has been
deleted.

Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
Srish Srinivasan 2025-12-08 15:51:29 +05:30 committed by Daniel Kiper
parent 18f08826f9
commit caaf50b9af
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
grub-core/osdep/aros/hostdisk.c
View File

@ -207,8 +207,8 @@ grub_util_fd_open (const char *dev, int flg)
sizeof(struct IOExtTD));
if (!ret->ioreq)
{
free (ret);
DeleteMsgPort (ret->mp);
free (ret);
return NULL;
}
@ -225,9 +225,9 @@ grub_util_fd_open (const char *dev, int flg)
if (OpenDevice ((unsigned char *) tmp, unit,
(struct IORequest *) ret->ioreq, flags))
{
free (tmp);
free (ret);
DeleteMsgPort (ret->mp);
free (ret);
free (tmp);
return NULL;
}
free (tmp);