Re: [PATCH] aros/hostdisk: Fix use-after-free bug during MsgPort deletion

Tue, 09 Dec 2025 01:00:35 -0800 

On 2025-12-08 22:30, [email protected] wrote:

Message: 1
Date: Mon,  8 Dec 2025 15:51:29 +0530
From: Srish Srinivasan <[email protected]>
To: [email protected]
Cc: [email protected], [email protected],
        [email protected], [email protected]
Subject: [PATCH] aros/hostdisk: Fix use-after-free bug during MsgPort
        deletion
Message-ID: <[email protected]>

Inside grub_util_fd_open, a failure while creating an IO
request or opening a device frees ret (the fd) before its
MsgPort is deleted. This leads to a use-after-free scenario.

Fix this by freeing ret after its MsgPort has been deleted.


Hi Srish,

Suggestion on commit message:
"In function grub_util_fd_open(), if creating an I/O request or opening a device fails. 'ret' (the file descriptor) will be freed before its associated MsgPort is deleted, resulting in a use-after-free condition.
Fixing this issue by freeing 'ret' after its associated MsgPort has been deleted." 


Signed-off-by: Srish Srinivasan <[email protected]>


Reviewed-by: Avnish Chouhan <[email protected]>

Regards,
Avnish Chouhan


---
 grub-core/osdep/aros/hostdisk.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/grub-core/osdep/aros/hostdisk.c b/grub-core/osdep/aros/hostdisk.c 
index 08723bd45..c75474933 100644
--- a/grub-core/osdep/aros/hostdisk.c
+++ b/grub-core/osdep/aros/hostdisk.c
@@ -207,8 +207,8 @@ grub_util_fd_open (const char *dev, int flg)
                                                 sizeof(struct IOExtTD));
   if (!ret->ioreq)
     {
-      free (ret);
       DeleteMsgPort (ret->mp);
+      free (ret);
       return NULL;
     }

@@ -225,9 +225,9 @@ grub_util_fd_open (const char *dev, int flg)
   if (OpenDevice ((unsigned char *) tmp, unit,
                  (struct IORequest *) ret->ioreq, flags))
     {
-      free (tmp);
-      free (ret);
       DeleteMsgPort (ret->mp);
+      free (ret);
+      free (tmp);
       return NULL;
     }
   free (tmp);
--
2.43.0


_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to