1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
new file mode 100644
index 0000000000..5ded5520e9
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
@@ -0,0 +1,121 @@
+From 83fdffc07ec4586b375ab36189f255ffbd8f99c2 Mon Sep 17 00:00:00 2001
+From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Date: Mon, 14 Dec 2020 18:54:49 -0300
+Subject: [PATCH] zfs: Fix resource leaks while constructing path
+There are several exit points in dnode_get_path() that are causing possible
+memory leaks.
+In the while(1) the correct exit mechanism should not be to do a direct return,
+but to instead break out of the loop, setting err first if it is not already set.
+The reason behind this is that the dnode_path is a linked list, and while doing
+through this loop, it is being allocated and built up - the only way to
+correctly unravel it is to traverse it, which is what is being done at the end
+of the function outside of the loop.
+Several of the existing exit points correctly did a break, but not all so this
+change makes that more consistent and should resolve the leaking of memory as
+found by Coverity.
+Fixes: CID 73741
+Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=89bdab965805e8d54d7f75349024e1a11cbe2eb8]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/fs/zfs/zfs.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 0c42cba..9087a72 100644
+--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
+@@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+ 
+       if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS)
+        {
+-         grub_free (path_buf);
+-         return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
+         err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
+         break;
+        }
+       err = zap_lookup (&(dnode_path->dn), cname, &objnum,
+                        data, subvol->case_insensitive);
+@@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+                       << SPA_MINBLOCKSHIFT);
+ 
+              if (blksz == 0)
+-               return grub_error(GRUB_ERR_BAD_FS, "0-sized block");
+                {
+                  err = grub_error (GRUB_ERR_BAD_FS, "0-sized block");
+                  break;
+                }
+ 
+              sym_value = grub_malloc (sym_sz);
+              if (!sym_value)
+-               return grub_errno;
+               {
+                 err = grub_errno;
+                 break;
+               }
+
+              for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++)
+                {
+                  void *t;
+@@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+                  if (err)
+                    {
+                      grub_free (sym_value);
+-                     return err;
+                     break;
+                    }
+ 
+                  movesize = sym_sz - block * blksz;
+@@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+                  grub_memcpy (sym_value + block * blksz, t, movesize);
+                  grub_free (t);
+                }
+               if (err)
+                 break;
+              free_symval = 1;
+            }       
+          path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);
+@@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+              grub_free (oldpathbuf);
+              if (free_symval)
+                grub_free (sym_value);
+-             return grub_errno;
+             err = grub_errno;
+             break;
+            }
+          grub_memcpy (path, sym_value, sym_sz);
+          if (free_symval)
+@@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+              
+              err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data);
+              if (err)
+-               return err;
+               break;
+            }
+          else
+            {
+-             return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
+             err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
+             break;
+            }
+ 
+          hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp));
+@@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume *subvol, const char *path_in, dnode_end_t *dn,
+              if (!path_buf)
+                {
+                  grub_free (oldpathbuf);
+-                 return grub_errno;
+                 err = grub_errno;
+                 break;
+                }
+              grub_memcpy (path, sym_value, sym_sz);
+              path [sym_sz] = 0;

diff --git a/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch new file mode 100644 index 0000000000..5ded5520e9 --- /dev/null +++ b/meta/recipes-bsp/grub/files/0022-zfs-Fix-resource-leaks-while-constructing-path.patch
@@ -0,0 +1,121 @@
	1	From 83fdffc07ec4586b375ab36189f255ffbd8f99c2 Mon Sep 17 00:00:00 2001
	2	From: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
	3	Date: Mon, 14 Dec 2020 18:54:49 -0300
	4	Subject: [PATCH] zfs: Fix resource leaks while constructing path
	5
	6	There are several exit points in dnode_get_path() that are causing possible
	7	memory leaks.
	8
	9	In the while(1) the correct exit mechanism should not be to do a direct return,
	10	but to instead break out of the loop, setting err first if it is not already set.
	11
	12	The reason behind this is that the dnode_path is a linked list, and while doing
	13	through this loop, it is being allocated and built up - the only way to
	14	correctly unravel it is to traverse it, which is what is being done at the end
	15	of the function outside of the loop.
	16
	17	Several of the existing exit points correctly did a break, but not all so this
	18	change makes that more consistent and should resolve the leaking of memory as
	19	found by Coverity.
	20
	21	Fixes: CID 73741
	22
	23	Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@canonical.com>
	24	Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
	25	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	26
	27	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=89bdab965805e8d54d7f75349024e1a11cbe2eb8]
	28	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	29	---
	30	grub-core/fs/zfs/zfs.c \| 30 +++++++++++++++++++++---------
	31	1 file changed, 21 insertions(+), 9 deletions(-)
	32
	33	diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
	34	index 0c42cba..9087a72 100644
	35	--- a/grub-core/fs/zfs/zfs.c
	36	+++ b/grub-core/fs/zfs/zfs.c
	37	@@ -2836,8 +2836,8 @@ dnode_get_path (struct subvolume subvol, const char path_in, dnode_end_t *dn,
	38
	39	if (dnode_path->dn.dn.dn_type != DMU_OT_DIRECTORY_CONTENTS)
	40	{
	41	- grub_free (path_buf);
	42	- return grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
	43	+ err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("not a directory"));
	44	+ break;
	45	}
	46	err = zap_lookup (&(dnode_path->dn), cname, &objnum,
	47	data, subvol->case_insensitive);
	48	@@ -2879,11 +2879,18 @@ dnode_get_path (struct subvolume subvol, const char path_in, dnode_end_t *dn,
	49	<< SPA_MINBLOCKSHIFT);
	50
	51	if (blksz == 0)
	52	- return grub_error(GRUB_ERR_BAD_FS, "0-sized block");
	53	+ {
	54	+ err = grub_error (GRUB_ERR_BAD_FS, "0-sized block");
	55	+ break;
	56	+ }
	57
	58	sym_value = grub_malloc (sym_sz);
	59	if (!sym_value)
	60	- return grub_errno;
	61	+ {
	62	+ err = grub_errno;
	63	+ break;
	64	+ }
	65	+
	66	for (block = 0; block < (sym_sz + blksz - 1) / blksz; block++)
	67	{
	68	void *t;
	69	@@ -2893,7 +2900,7 @@ dnode_get_path (struct subvolume subvol, const char path_in, dnode_end_t *dn,
	70	if (err)
	71	{
	72	grub_free (sym_value);
	73	- return err;
	74	+ break;
	75	}
	76
	77	movesize = sym_sz - block * blksz;
	78	@@ -2903,6 +2910,8 @@ dnode_get_path (struct subvolume subvol, const char path_in, dnode_end_t *dn,
	79	grub_memcpy (sym_value + block * blksz, t, movesize);
	80	grub_free (t);
	81	}
	82	+ if (err)
	83	+ break;
	84	free_symval = 1;
	85	}
	86	path = path_buf = grub_malloc (sym_sz + grub_strlen (oldpath) + 1);
	87	@@ -2911,7 +2920,8 @@ dnode_get_path (struct subvolume subvol, const char path_in, dnode_end_t *dn,
	88	grub_free (oldpathbuf);
	89	if (free_symval)
	90	grub_free (sym_value);
	91	- return grub_errno;
	92	+ err = grub_errno;
	93	+ break;
	94	}
	95	grub_memcpy (path, sym_value, sym_sz);
	96	if (free_symval)
	97	@@ -2949,11 +2959,12 @@ dnode_get_path (struct subvolume subvol, const char path_in, dnode_end_t *dn,
	98
	99	err = zio_read (bp, dnode_path->dn.endian, &sahdrp, NULL, data);
	100	if (err)
	101	- return err;
	102	+ break;
	103	}
	104	else
	105	{
	106	- return grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
	107	+ err = grub_error (GRUB_ERR_BAD_FS, "filesystem is corrupt");
	108	+ break;
	109	}
	110
	111	hdrsize = SA_HDR_SIZE (((sa_hdr_phys_t *) sahdrp));
	112	@@ -2974,7 +2985,8 @@ dnode_get_path (struct subvolume subvol, const char path_in, dnode_end_t *dn,
	113	if (!path_buf)
	114	{
	115	grub_free (oldpathbuf);
	116	- return grub_errno;
	117	+ err = grub_errno;
	118	+ break;
	119	}
	120	grub_memcpy (path, sym_value, sym_sz);
	121	path [sym_sz] = 0;