From: Thomas Frauendorfer | Miray Software <tf@miray.de>
Date: Wed, 7 May 2025 14:15:22 +0000 (+0200)
Subject: kern/file: Call grub_dl_unref() after fs->fs_close()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c4fb4cbc941981894a00ba8e75d634a41967a27f;p=thirdparty%2Fgrub.git

kern/file: Call grub_dl_unref() after fs->fs_close()

With commit 16f196874 (kern/file: Implement filesystem reference
counting) files hold a reference to their file systems.

When closing a file in grub_file_close() we should not expect
file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
So, grub_dl_unref() should be called after file->fs->fs_close().

Fixes: CVE-2025-54771
Fixes: 16f196874 (kern/file: Implement filesystem reference counting)

Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
index 6e7efe89a..eb52fd25f 100644
--- a/grub-core/kern/file.c
+++ b/grub-core/kern/file.c
@@ -201,12 +201,12 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)
 grub_err_t
 grub_file_close (grub_file_t file)
 {
-  if (file->fs->mod)
-    grub_dl_unref (file->fs->mod);
-
   if (file->fs->fs_close)
     (file->fs->fs_close) (file);
 
+  if (file->fs->mod)
+    grub_dl_unref (file->fs->mod);
+
   if (file->device)
     grub_device_close (file->device);
   grub_free (file->name);