From 41b74a18b2879e37b1e084f7ab6bd276ce30c6c9 Mon Sep 17 00:00:00 2001 From: Jan Janssen Date: Thu, 13 Jan 2022 12:32:07 +0100 Subject: [PATCH] boot: Fix invalid free LocateDevicePath() advances the device path pointer, making it invalid when freed. --- src/boot/efi/shim.c | 5 +++-- src/boot/efi/xbootldr.c | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/boot/efi/shim.c b/src/boot/efi/shim.c index 3ce6af42f94..fd9c489478d 100644 --- a/src/boot/efi/shim.c +++ b/src/boot/efi/shim.c @@ -118,13 +118,14 @@ static EFIAPI EFI_STATUS security_policy_authentication (const EFI_SECURITY_PROT if (!dev_path) return EFI_OUT_OF_RESOURCES; - status = BS->LocateDevicePath(&FileSystemProtocol, &dev_path, &h); + EFI_DEVICE_PATH *dp = dev_path; + status = BS->LocateDevicePath(&FileSystemProtocol, &dp, &h); if (EFI_ERROR(status)) return status; /* No need to check return value, this already happened in efi_main() */ root = LibOpenRoot(h); - dev_path_str = DevicePathToStr(dev_path); + dev_path_str = DevicePathToStr(dp); if (!dev_path_str) return EFI_OUT_OF_RESOURCES; diff --git a/src/boot/efi/xbootldr.c b/src/boot/efi/xbootldr.c index 81aa7f61eef..4972877d209 100644 --- a/src/boot/efi/xbootldr.c +++ b/src/boot/efi/xbootldr.c @@ -286,7 +286,8 @@ EFI_STATUS xbootldr_open(EFI_HANDLE *device, EFI_HANDLE *ret_device, EFI_FILE ** hd->SignatureType = SIGNATURE_TYPE_GUID; } - err = BS->LocateDevicePath(&BlockIoProtocol, &partition_path, &new_device); + EFI_DEVICE_PATH *dp = partition_path; + err = BS->LocateDevicePath(&BlockIoProtocol, &dp, &new_device); if (EFI_ERROR(err)) return err; -- 2.47.3