From: Srish Srinivasan <ssrish@linux.ibm.com>
Date: Mon, 8 Dec 2025 10:21:29 +0000 (+0530)
Subject: osdep/aros/hostdisk: Fix use-after-free bug during MsgPort deletion
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=caaf50b9affbd4c9e7313a4fdc03c4fa439a6a1f;p=thirdparty%2Fgrub.git

osdep/aros/hostdisk: Fix use-after-free bug during MsgPort deletion

... in function grub_util_fd_open() when creation of an I/O request or
opening a device fails. The "ret", the file descriptor, will be freed
before its associated MsgPort is deleted resulting in a use-after-free
condition.

Fix this issue by freeing "ret" after its associated MsgPort has been
deleted.

Signed-off-by: Srish Srinivasan <ssrish@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/osdep/aros/hostdisk.c b/grub-core/osdep/aros/hostdisk.c
index 08723bd45..c75474933 100644
--- a/grub-core/osdep/aros/hostdisk.c
+++ b/grub-core/osdep/aros/hostdisk.c
@@ -207,8 +207,8 @@ grub_util_fd_open (const char *dev, int flg)
 						 sizeof(struct IOExtTD));
   if (!ret->ioreq)
     {
-      free (ret);
       DeleteMsgPort (ret->mp);
+      free (ret);
       return NULL;
     }
 
@@ -225,9 +225,9 @@ grub_util_fd_open (const char *dev, int flg)
   if (OpenDevice ((unsigned char *) tmp, unit,
 		  (struct IORequest *) ret->ioreq, flags))
     {
-      free (tmp);
-      free (ret);
       DeleteMsgPort (ret->mp);
+      free (ret);
+      free (tmp);
       return NULL;
     }
   free (tmp);