osdep/aros/hostdisk: Fix use-after-free bug during MsgPort deletion

... in function grub_util_fd_open() when creation of an I/O request or
opening a device fails. The "ret", the file descriptor, will be freed
before its associated MsgPort is deleted resulting in a use-after-free
condition.

Fix this issue by freeing "ret" after its associated MsgPort has been
deleted.

Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/osdep/aros/hostdisk.c b/grub-core/osdep/aros/hostdisk.c
index 08723bd456ce64af6e7d7d99dc920cf179393412..c7547493386563734aa491d9b1dc36ab3f7ba320 100644 (file)
--- a/grub-core/osdep/aros/hostdisk.c
+++ b/grub-core/osdep/aros/hostdisk.c
@@ -207,8 +207,8 @@ grub_util_fd_open (const char *dev, int flg)
                                                 sizeof(struct IOExtTD));
   if (!ret->ioreq)
     {
-      free (ret);
       DeleteMsgPort (ret->mp);
+      free (ret);
       return NULL;
     }
 
@@ -225,9 +225,9 @@ grub_util_fd_open (const char *dev, int flg)
   if (OpenDevice ((unsigned char *) tmp, unit,
                  (struct IORequest *) ret->ioreq, flags))
     {
-      free (tmp);
-      free (ret);
       DeleteMsgPort (ret->mp);
+      free (ret);
+      free (tmp);
       return NULL;
     }
   free (tmp);