Inside grub_util_fd_open, a failure while creating an IO request or opening a device frees ret (the fd) before its MsgPort is deleted. This leads to a use-after-free scenario.
Fix this by freeing ret after its MsgPort has been deleted. Signed-off-by: Srish Srinivasan <[email protected]> --- grub-core/osdep/aros/hostdisk.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/grub-core/osdep/aros/hostdisk.c b/grub-core/osdep/aros/hostdisk.c index 08723bd45..c75474933 100644 --- a/grub-core/osdep/aros/hostdisk.c +++ b/grub-core/osdep/aros/hostdisk.c @@ -207,8 +207,8 @@ grub_util_fd_open (const char *dev, int flg) sizeof(struct IOExtTD)); if (!ret->ioreq) { - free (ret); DeleteMsgPort (ret->mp); + free (ret); return NULL; } @@ -225,9 +225,9 @@ grub_util_fd_open (const char *dev, int flg) if (OpenDevice ((unsigned char *) tmp, unit, (struct IORequest *) ret->ioreq, flags)) { - free (tmp); - free (ret); DeleteMsgPort (ret->mp); + free (ret); + free (tmp); return NULL; } free (tmp); -- 2.43.0 _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
