kern/efi/mm: Detect calls to grub_efi_drop_alloc() with wrong page counts

Silently keeping entries in the list if the address matches, but the
page count doesn't is a bad idea, and can lead to double frees.

grub_efi_free_pages() have already freed parts of this block by this
point, and thus keeping the whole block in the list and freeing it again
at exit can lead to double frees.

Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
index bc18b149d282f908c732a1d18f266b22436996d7..df7bf28698891980754867e1a2f3d05cf3e77e9b 100644 (file)
--- a/grub-core/kern/efi/mm.c
+++ b/grub-core/kern/efi/mm.c
@@ -95,8 +95,10 @@ grub_efi_drop_alloc (grub_efi_physical_address_t address,
 
   for (eap = NULL, ea = efi_allocated_memory; ea; eap = ea, ea = ea->next)
     {
-      if (ea->address != address || ea->pages != pages)
-         continue;
+      if (ea->address != address)
+       continue;
+      if (ea->pages != pages)
+       grub_fatal ("grub_efi_drop_alloc() called with wrong page count");
 
       /* Remove the current entry from the list. */
       if (eap)