grub: add a fix for a memory leak

This patch fixes a memory leak in grub's affs. It is a part of a security series [1]. [1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html (From OE-Core rev: 95d61effb17a6f11abbaec6ba48cb3fa4926efb0) Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Marta Rybczynska <rybczynska@gmail.com> 2022-02-18 11:05:33 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-03-02 00:21:37 +0000
commit: 10d619c8bb87493a4a502188571be33935c80f1b (patch)
tree: d14b7c1eec6edc5f4856ae1059c80ee1bb3d3df0 /meta/recipes-bsp
parent: 1246e75875a638c6f706344233b556e57f38d5e5 (diff)
download: poky-10d619c8bb87493a4a502188571be33935c80f1b.tar.gz
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
new file mode 100644
index 0000000000..435130516c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
@@ -0,0 +1,82 @@
+From 929c2ce8214c53cb95abff57a89556cd18444097 Mon Sep 17 00:00:00 2001
+From: Darren Kenny <darren.kenny@oracle.com>
+Date: Thu, 26 Nov 2020 12:48:07 +0000
+Subject: [PATCH] affs: Fix memory leaks
+The node structure reference is being allocated but not freed if it
+reaches the end of the function. If any of the hooks had returned
+a non-zero value, then node would have been copied in to the context
+reference, but otherwise node is not stored and should be freed.
+Similarly, the call to grub_affs_create_node() replaces the allocated
+memory in node with a newly allocated structure, leaking the existing
+memory pointed by node.
+Finally, when dir->parent is set, then we again replace node with newly
+allocated memory, which seems unnecessary when we copy in the values
+from dir->parent immediately after.
+Fixes: CID 73759
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=178ac5107389f8e5b32489d743d6824a5ebf342a]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/affs.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index 220b371..230e26a 100644
+--- a/grub-core/fs/affs.c
+++ b/grub-core/fs/affs.c
+@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ {
+   unsigned int i;
+   struct grub_affs_file file;
+-  struct grub_fshelp_node *node = 0;
+  struct grub_fshelp_node *node, *orig_node;
+   struct grub_affs_data *data = dir->data;
+   grub_uint32_t *hashtable;
+ 
+   /* Create the directory entries for `.' and `..'.  */
+-  node = grub_zalloc (sizeof (*node));
+  node = orig_node = grub_zalloc (sizeof (*node));
+   if (!node)
+     return 1;
+     
+@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+     return 1;
+   if (dir->parent)
+     {
+-      node = grub_zalloc (sizeof (*node));
+-      if (!node)
+-       return 1;
+       *node = *dir->parent;
+       if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
+        return 1;
+@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ 
+          if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable,
+                                     next, &file))
+-           return 1;
+           {
+             /* Node has been replaced in function. */
+             grub_free (orig_node);
+             return 1;
+           }
+ 
+          next = grub_be_to_cpu32 (file.next);
+        }
+     }
+ 
+-  grub_free (hashtable);
+-  return 0;
+-
+  fail:
+-  grub_free (node);
+  grub_free (orig_node);
+   grub_free (hashtable);
+   return 0;
+ }
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index a660c069db..13e2b1600d 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -71,6 +71,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \
           file://0023-zfs-Fix-possible-integer-overflows.patch \
           file://0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch \
+           file://0025-affs-Fix-memory-leaks.patch \
           "
 SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
 SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
author	Marta Rybczynska <rybczynska@gmail.com>	2022-02-18 11:05:33 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-03-02 00:21:37 +0000
commit	10d619c8bb87493a4a502188571be33935c80f1b (patch)
tree	d14b7c1eec6edc5f4856ae1059c80ee1bb3d3df0 /meta/recipes-bsp
parent	1246e75875a638c6f706344233b556e57f38d5e5 (diff)
download	poky-10d619c8bb87493a4a502188571be33935c80f1b.tar.gz

diff --git a/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch new file mode 100644 index 0000000000..435130516c --- /dev/null +++ b/meta/recipes-bsp/grub/files/0025-affs-Fix-memory-leaks.patch
@@ -0,0 +1,82 @@
		1	From 929c2ce8214c53cb95abff57a89556cd18444097 Mon Sep 17 00:00:00 2001
		2	From: Darren Kenny <darren.kenny@oracle.com>
		3	Date: Thu, 26 Nov 2020 12:48:07 +0000
		4	Subject: [PATCH] affs: Fix memory leaks
		5
		6	The node structure reference is being allocated but not freed if it
		7	reaches the end of the function. If any of the hooks had returned
		8	a non-zero value, then node would have been copied in to the context
		9	reference, but otherwise node is not stored and should be freed.
		10
		11	Similarly, the call to grub_affs_create_node() replaces the allocated
		12	memory in node with a newly allocated structure, leaking the existing
		13	memory pointed by node.
		14
		15	Finally, when dir->parent is set, then we again replace node with newly
		16	allocated memory, which seems unnecessary when we copy in the values
		17	from dir->parent immediately after.
		18
		19	Fixes: CID 73759
		20
		21	Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
		22	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		23
		24	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=178ac5107389f8e5b32489d743d6824a5ebf342a]
		25	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
		26	---
		27	grub-core/fs/affs.c \| 18 ++++++++----------
		28	1 file changed, 8 insertions(+), 10 deletions(-)
		29
		30	diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
		31	index 220b371..230e26a 100644
		32	--- a/grub-core/fs/affs.c
		33	+++ b/grub-core/fs/affs.c
		34	@@ -400,12 +400,12 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
		35	{
		36	unsigned int i;
		37	struct grub_affs_file file;
		38	- struct grub_fshelp_node *node = 0;
		39	+ struct grub_fshelp_node node, orig_node;
		40	struct grub_affs_data *data = dir->data;
		41	grub_uint32_t *hashtable;
		42
		43	/* Create the directory entries for `.' and `..'. */
		44	- node = grub_zalloc (sizeof (*node));
		45	+ node = orig_node = grub_zalloc (sizeof (*node));
		46	if (!node)
		47	return 1;
		48
		49	@@ -414,9 +414,6 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
		50	return 1;
		51	if (dir->parent)
		52	{
		53	- node = grub_zalloc (sizeof (*node));
		54	- if (!node)
		55	- return 1;
		56	node = dir->parent;
		57	if (hook ("..", GRUB_FSHELP_DIR, node, hook_data))
		58	return 1;
		59	@@ -456,17 +453,18 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
		60
		61	if (grub_affs_create_node (dir, hook, hook_data, &node, &hashtable,
		62	next, &file))
		63	- return 1;
		64	+ {
		65	+ /* Node has been replaced in function. */
		66	+ grub_free (orig_node);
		67	+ return 1;
		68	+ }
		69
		70	next = grub_be_to_cpu32 (file.next);
		71	}
		72	}
		73
		74	- grub_free (hashtable);
		75	- return 0;
		76	-
		77	fail:
		78	- grub_free (node);
		79	+ grub_free (orig_node);
		80	grub_free (hashtable);
		81	return 0;
		82	}


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index a660c069db..13e2b1600d 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -71,6 +71,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
71	file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \	71	file://0022-zfs-Fix-resource-leaks-while-constructing-path.patch \
72	file://0023-zfs-Fix-possible-integer-overflows.patch \	72	file://0023-zfs-Fix-possible-integer-overflows.patch \
73	file://0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch \	73	file://0024-zfsinfo-Correct-a-check-for-error-allocating-memory.patch \
		74	file://0025-affs-Fix-memory-leaks.patch \
74	"	75	"
75	SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"	76	SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
76	SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"	77	SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"