git.ipfire.org Git - thirdparty/grub.git/commit

author	Glenn Washburn <development@efficientek.com>
	Sat, 1 Jan 2022 21:48:25 +0000 (15:48 -0600)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Mon, 7 Feb 2022 19:15:26 +0000 (20:15 +0100)
commit	980cffdbb0dfbeafd32119a74c55fae9919e9039
tree	cfee220cf9ce45b7276423357ef4229a6c1d5dc5	tree
parent	246d69b7ea619fc1e77dcc5960e37aea45a9808c	commit \| diff

cryptodisk: Fix Coverity use after free bug

The Coverity output is:

  *** CID 366905:  Memory - illegal accesses  (USE_AFTER_FREE)
  /grub-core/disk/cryptodisk.c: 1064 in grub_cryptodisk_scan_device_real()
  1058      cleanup:
  1059       if (askpass)
  1060         {
  1061           cargs->key_len = 0;
  1062           grub_free (cargs->key_data);
  1063         }
  >>>     CID 366905:  Memory - illegal accesses  (USE_AFTER_FREE)
  >>>     Using freed pointer "dev".
  1064       return dev;
  1065     }
  1066
  1067     #ifdef GRUB_UTIL
  1068     #include <grub/util/misc.h>
  1069     grub_err_t

Here the "dev" variable can point to a freed cryptodisk device if the
function grub_cryptodisk_insert() fails. This can happen only on a OOM
condition, but when this happens grub_cryptodisk_insert() calls grub_free on
the passed device. Since grub_cryptodisk_scan_device_real() assumes that
grub_cryptodisk_insert() is always successful, it will return the device,
though the device was freed.

Change grub_cryptodisk_insert() to not free the passed device on failure.
Then on grub_cryptodisk_insert() failure, free the device pointer. This is
done by going to the label "error", which will call cryptodisk_close() to
free the device and set the device pointer to NULL, so that a pointer to
freed memory is not returned.

Fixes: CID 366905
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>