> On 19 Nov 2025, at 12:07 PM, Alec Brown via Grub-devel <[email protected]> > wrote: > > In the function free_subchunk(), after checking that subchu->post isn't NULL, > grub_memset() is called on subchu->pre->freebytes but it should be called on > subchu->post->freebytes. If subchu->pre is NULL but subchu->post isn't NULL, > then this could lead to a NULL pointer dereference. > > Fixes: CID 473882 > > Signed-off-by: Vladimir Serbinenko <[email protected]> > Signed-off-by: Alec Brown <[email protected]>
Reviewed-by: Sudhakar Kuppusamy <[email protected]> Thanks, Sudhakar > --- > grub-core/lib/relocator.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c > index 1e1e09704..37da0c6db 100644 > --- a/grub-core/lib/relocator.c > +++ b/grub-core/lib/relocator.c > @@ -398,9 +398,9 @@ free_subchunk (const struct grub_relocator_subchunk > *subchu) > if (subchu->post) > { > int off = subchu->start + subchu->size - fend; > - grub_memset (subchu->pre->freebytes, > - 0xff, sizeof (subchu->pre->freebytes) - off / 8); > - subchu->pre->freebytes[off / 8] |= ((1 << (8 - (off % 8))) - 1); > + grub_memset (subchu->post->freebytes, > + 0xff, sizeof (subchu->post->freebytes) - off / 8 - 1); > + subchu->post->freebytes[sizeof (subchu->post->freebytes) - off / 8 - 1] > |= ((1 << (8 - (off % 8))) - 1); > check_leftover (subchu->post); > } > #endif > -- > 2.27.0 > > > _______________________________________________ > Grub-devel mailing list > [email protected] > https://lists.gnu.org/mailman/listinfo/grub-devel _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
