Store the loopback device as data on loopback grub_disk structures,

rather than the file it points to.  This fixes use of freed memory
if an existing loopback device is replaced.

* grub-core/disk/loopback.c (grub_loopback_open): Store dev in
disk->data, not dev->file.
(grub_loopback_read): Adjust file assignment to match.
Fixes Ubuntu bug #742967.

diff --git a/ChangeLog b/ChangeLog
index 512b61cac42769019b4ab127e024c8ec555439ca..fb6875c693ca5d2131d930cfa10dcdbb59c505d3 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2011-04-01  Colin Watson  <cjwatson@ubuntu.com>
+
+       Store the loopback device as data on loopback grub_disk structures,
+       rather than the file it points to.  This fixes use of freed memory
+       if an existing loopback device is replaced.
+
+       * grub-core/disk/loopback.c (grub_loopback_open): Store dev in
+       disk->data, not dev->file.
+       (grub_loopback_read): Adjust file assignment to match.
+       Fixes Ubuntu bug #742967.
+
 2011-04-01  Colin Watson  <cjwatson@ubuntu.com>
 
        * grub-core/disk/loopback.c (grub_cmd_loopback): Fix a memory leak

diff --git a/grub-core/disk/loopback.c b/grub-core/disk/loopback.c
index 02e6c164fe13a27ffc40da7382cd731843aced67..939043f017831e9cacba3e18c06e0ea4407f3aea 100644 (file)
--- a/grub-core/disk/loopback.c
+++ b/grub-core/disk/loopback.c
@@ -162,7 +162,7 @@ grub_loopback_open (const char *name, grub_disk_t disk)
     disk->total_sectors = GRUB_DISK_SIZE_UNKNOWN;
   disk->id = (unsigned long) dev;
 
-  disk->data = dev->file;
+  disk->data = dev;
 
   return 0;
 }
@@ -171,7 +171,7 @@ static grub_err_t
 grub_loopback_read (grub_disk_t disk, grub_disk_addr_t sector,
                    grub_size_t size, char *buf)
 {
-  grub_file_t file = (grub_file_t) disk->data;
+  grub_file_t file = ((struct grub_loopback *) disk->data)->file;
   grub_off_t pos;
 
   grub_file_seek (file, sector << GRUB_DISK_SECTOR_BITS);