grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] cryptodisk: Fix Coverity use after free bug


From: Daniel Kiper
Subject: Re: [PATCH] cryptodisk: Fix Coverity use after free bug
Date: Thu, 13 Jan 2022 19:44:06 +0100
User-agent: NeoMutt/20170113 (1.7.2)

On Sat, Jan 01, 2022 at 03:48:25PM -0600, Glenn Washburn wrote:
> The Coverity output is:
>
>   *** CID 366905:  Memory - illegal accesses  (USE_AFTER_FREE)
>   /grub-core/disk/cryptodisk.c: 1064 in grub_cryptodisk_scan_device_real()
>   1058      cleanup:
>   1059       if (askpass)
>   1060         {
>   1061           cargs->key_len = 0;
>   1062           grub_free (cargs->key_data);
>   1063         }
>   >>>     CID 366905:  Memory - illegal accesses  (USE_AFTER_FREE)
>   >>>     Using freed pointer "dev".
>   1064       return dev;
>   1065     }
>   1066
>   1067     #ifdef GRUB_UTIL
>   1068     #include <grub/util/misc.h>
>   1069     grub_err_t
>
> Here the 'dev' variable can point to a freed cryptodisk device if the
> function grub_cryptodisk_insert() fails. This can happen only on a OOM
> condition, but when this happens grub_cryptodisk_insert() calls grub_free on
> the passed device. Since grub_cryptodisk_scan_device_real() assumes that
> grub_cryptodisk_insert() is always successful, it will return the device,
> though the device was freed.
>
> Change grub_cryptodisk_insert() to not free the passed device on failure.
> Then on grub_cryptodisk_insert() failure, free the device pointer. This is
> done by going to the label 'error', which will call cryptodisk_close() to
> free the device and set the device pointer to NULL, so that a pointer to
> freed memory is not returned.
>
> Signed-off-by: Glenn Washburn <development@efficientek.com>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Daniel



reply via email to

[Prev in Thread] Current Thread [Next in Thread]