diff options
author | Marta Rybczynska <rybczynska@gmail.com> | 2022-02-18 11:05:30 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-02 00:21:37 +0000 |
commit | 0dd3f436f474e37b01a77d31de407cea5689b62c (patch) | |
tree | 7e243e003104769b7a6a2959e6f0150b365ace4c /meta/recipes-bsp/grub | |
parent | b461e690255ddd41db9202dbab473c1390a06e69 (diff) | |
download | poky-0dd3f436f474e37b01a77d31de407cea5689b62c.tar.gz |
grub: add a fix for a memory leak
This patch adds a fix for a memory leak in grub's path construction
in zfs. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
(From OE-Core rev: f2a474545b8ba61a43fcbcd3c375c5db9f0303ca)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp/grub')
-rw-r--r-- | meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch | 121 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/grub2.inc | 1 |
2 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch new file mode 100644 index 0000000000..5ded5520e9 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From 83fdffc07ec4586b375ab36189f255ffbd8f99c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com> | ||
3 | Date: Mon, 14 Dec 2020 18:54:49 -0300 | ||
4 | Subject: [PATCH] zfs: Fix resource leaks while constructing path | ||
5 | |||
6 | There are several exit points in dnode_get_path() that are causing possible | ||
7 | memory leaks. | ||
8 | |||
9 | In the while(1) the correct exit mechanism should not be to do a direct return, | ||
10 | but to instead break out of the loop, setting err first if it is not already set. | ||
11 | |||
12 | The reason behind this is that the dnode_path is a linked list, and while doing | ||
13 | through this loop, it is being allocated and built up - the only way to | ||
14 | correctly unravel it is to traverse it, which is what is being done at the end | ||
15 | of the function outside of the loop. | ||
16 | |||
17 | Several of the existing exit points correctly did a break, but not all so this | ||
18 | change makes that more consistent and should resolve the leaking of memory as | ||
19 | found by Coverity. | ||
20 | |||
21 | Fixes: CID 73741 | ||
22 | |||
23 | Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com> | ||
24 | Signed-off-by: Darren Kenny <darren.kenny@oracle.com> | ||
25 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
26 | |||
27 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=89bdab965805e8d54d7f75349024e1a11cbe2eb8] | ||
28 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
29 | --- | ||
30 | grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++--------- | ||
31 | 1 file changed, 21 insertions(+), 9 deletions(-) | ||
32 | |||
33 | diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c | ||
34 | index 0c42cba..9087a72 100644 | ||
35 | --- a/grub-core/fs/zfs/zfs.c | ||
36 | +++ b/grub-core/fs/zfs/zfs.c | ||
37 | @@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
38 | |||
39 | if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS) | ||
40 | { | ||
41 | - grub_free (path_buf); | ||
42 | - return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory")); | ||
43 | + err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory")); | ||
44 | + break; | ||
45 | } | ||
46 | err = zap_lookup (&(dnode_path->dn), cname, &objnum, | ||
47 | data, subvol->case_insensitive); | ||
48 | @@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
49 | << SPA_MINBLOCKSHIFT); | ||
50 | |||
51 | if (blksz == 0) | ||
52 | - return grub_error(GRUB_ERR_BAD_FS, "0-sized block"); | ||
53 | + { | ||
54 | + err = grub_error (GRUB_ERR_BAD_FS, "0-sized block"); | ||
55 | + break; | ||
56 | + } | ||
57 | |||
58 | sym_value = grub_malloc (sym_sz); | ||
59 | if (!sym_value) | ||
60 | - return grub_errno; | ||
61 | + { | ||
62 | + err = grub_errno; | ||
63 | + break; | ||
64 | + } | ||
65 | + | ||
66 | for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++) | ||
67 | { | ||
68 | void *t; | ||
69 | @@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
70 | if (err) | ||
71 | { | ||
72 | grub_free (sym_value); | ||
73 | - return err; | ||
74 | + break; | ||
75 | } | ||
76 | |||
77 | movesize = sym_sz - block * blksz; | ||
78 | @@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
79 | grub_memcpy (sym_value + block * blksz, t, movesize); | ||
80 | grub_free (t); | ||
81 | } | ||
82 | + if (err) | ||
83 | + break; | ||
84 | free_symval = 1; | ||
85 | } | ||
86 | path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1); | ||
87 | @@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
88 | grub_free (oldpathbuf); | ||
89 | if (free_symval) | ||
90 | grub_free (sym_value); | ||
91 | - return grub_errno; | ||
92 | + err = grub_errno; | ||
93 | + break; | ||
94 | } | ||
95 | grub_memcpy (path, sym_value, sym_sz); | ||
96 | if (free_symval) | ||
97 | @@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
98 | |||
99 | err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data); | ||
100 | if (err) | ||
101 | - return err; | ||
102 | + break; | ||
103 | } | ||
104 | else | ||
105 | { | ||
106 | - return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt"); | ||
107 | + err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt"); | ||
108 | + break; | ||
109 | } | ||
110 | |||
111 | hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp)); | ||
112 | @@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn, | ||
113 | if (!path_buf) | ||
114 | { | ||
115 | grub_free (oldpathbuf); | ||
116 | - return grub_errno; | ||
117 | + err = grub_errno; | ||
118 | + break; | ||
119 | } | ||
120 | grub_memcpy (path, sym_value, sym_sz); | ||
121 | path [sym_sz] = 0; | ||
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 360e86685b..1630235edd 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc | |||
@@ -68,6 +68,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ | |||
68 | file://0019-disk-cryptodisk-Fix-potential-integer-overflow.patch \ | 68 | file://0019-disk-cryptodisk-Fix-potential-integer-overflow.patch \ |
69 | file://0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch \ | 69 | file://0020-hfsplus-Check-that-the-volume-name-length-is-valid.patch \ |
70 | file://0021-zfs-Fix-possible-negative-shift-operation.patch \ | 70 | file://0021-zfs-Fix-possible-negative-shift-operation.patch \ |
71 | file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \ | ||
71 | " | 72 | " |
72 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" | 73 | SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" |
73 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" | 74 | SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" |