From: Jan Janssen <medhefgo@web.de>
Date: Thu, 13 Jan 2022 11:32:07 +0000 (+0100)
Subject: boot: Fix invalid free
X-Git-Tag: v251-rc1~533^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41b74a18b2879e37b1e084f7ab6bd276ce30c6c9;p=thirdparty%2Fsystemd.git

boot: Fix invalid free

LocateDevicePath() advances the device path pointer, making it invalid
when freed.
---

diff --git a/src/boot/efi/shim.c b/src/boot/efi/shim.c
index 3ce6af42f94..fd9c489478d 100644
--- a/src/boot/efi/shim.c
+++ b/src/boot/efi/shim.c
@@ -118,13 +118,14 @@ static EFIAPI EFI_STATUS security_policy_authentication (const EFI_SECURITY_PROT
         if (!dev_path)
                 return EFI_OUT_OF_RESOURCES;
 
-        status = BS->LocateDevicePath(&FileSystemProtocol, &dev_path, &h);
+        EFI_DEVICE_PATH *dp = dev_path;
+        status = BS->LocateDevicePath(&FileSystemProtocol, &dp, &h);
         if (EFI_ERROR(status))
                 return status;
 
         /* No need to check return value, this already happened in efi_main() */
         root = LibOpenRoot(h);
-        dev_path_str = DevicePathToStr(dev_path);
+        dev_path_str = DevicePathToStr(dp);
         if (!dev_path_str)
                 return EFI_OUT_OF_RESOURCES;
 
diff --git a/src/boot/efi/xbootldr.c b/src/boot/efi/xbootldr.c
index 81aa7f61eef..4972877d209 100644
--- a/src/boot/efi/xbootldr.c
+++ b/src/boot/efi/xbootldr.c
@@ -286,7 +286,8 @@ EFI_STATUS xbootldr_open(EFI_HANDLE *device, EFI_HANDLE *ret_device, EFI_FILE **
                 hd->SignatureType = SIGNATURE_TYPE_GUID;
         }
 
-        err = BS->LocateDevicePath(&BlockIoProtocol, &partition_path, &new_device);
+        EFI_DEVICE_PATH *dp = partition_path;
+        err = BS->LocateDevicePath(&BlockIoProtocol, &dp, &new_device);
         if (EFI_ERROR(err))
                 return err;