From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1bININ-0002Fv-P5 for mharc-grub-devel@gnu.org; Wed, 29 Jun 2016 17:45:20 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59670) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bINIL-00023H-Jj for grub-devel@gnu.org; Wed, 29 Jun 2016 17:45:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bINII-00068O-UX for grub-devel@gnu.org; Wed, 29 Jun 2016 17:45:17 -0400 Received: from aserp1040.oracle.com ([141.146.126.69]:39729) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bINII-00067v-M0 for grub-devel@gnu.org; Wed, 29 Jun 2016 17:45:14 -0400 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u5TLjDIU003451 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 29 Jun 2016 21:45:14 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u5TLjDwl011336 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 29 Jun 2016 21:45:13 GMT Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u5TLjDxq020755 for ; Wed, 29 Jun 2016 21:45:13 GMT Received: from ca-qasparc20.us.oracle.com (/10.147.24.73) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 29 Jun 2016 14:45:12 -0700 From: Eric Snowberg To: grub-devel@gnu.org Cc: Eric Snowberg Subject: [PATCH 07/15] ofdisk: memory corruption fix Date: Wed, 29 Jun 2016 14:43:20 -0700 Message-Id: X-Mailer: git-send-email 1.7.1 In-Reply-To: References: In-Reply-To: References: X-Source-IP: userv0021.oracle.com [156.151.31.71] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] X-Received-From: 141.146.126.69 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 21:45:18 -0000 The goal of this patch is to clean up memory corruption by having memory allocation take place in a single location, while not causing any new memory leaks. In various parts of the code the same path is called different things, for example it is called curcan, device, name_dup, can, and devpath, These are all the same thing. Within ofdisk_hash_add_real p->devpath it stores a pointer that later can get freed, causing memory corruption problems. The following code path is an example of the memory corruption this patch will fix: devpath created in grub_ofdisk_open it then calls ofdisk_hash_add with devpath it then calls ofdisk_hash_add_real with devpath ofdisk_hash_add_real saves pointer of devpath return return free devpath dangling pointer/memory corruption with what is stored in ofdisk_hash_add_real The patch fixes this problem and prevents a memory leak by cleaning up the new copy when it is no longer needed. Signed-off-by: Eric Snowberg --- grub-core/disk/ieee1275/ofdisk.c | 30 +++++++++++++----------------- 1 files changed, 13 insertions(+), 17 deletions(-) diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c index 235c0fe..18d2e95 100644 --- a/grub-core/disk/ieee1275/ofdisk.c +++ b/grub-core/disk/ieee1275/ofdisk.c @@ -74,7 +74,7 @@ ofdisk_hash_find (const char *devpath) } static struct ofdisk_hash_ent * -ofdisk_hash_add_real (char *devpath) +ofdisk_hash_add_real (const char *devpath) { struct ofdisk_hash_ent *p; struct ofdisk_hash_ent **head = &ofdisk_hash[ofdisk_hash_fn(devpath)]; @@ -85,13 +85,20 @@ ofdisk_hash_add_real (char *devpath) if (!p) return NULL; - p->devpath = devpath; + p->devpath = grub_strdup (devpath); + + if (!p->devpath) + { + grub_free (p); + return NULL; + } p->grub_devpath = grub_malloc (sizeof ("ieee1275/") + 2 * grub_strlen (p->devpath)); if (!p->grub_devpath) { + grub_free (p->devpath); grub_free (p); return NULL; } @@ -101,6 +108,7 @@ ofdisk_hash_add_real (char *devpath) p->open_path = grub_malloc (grub_strlen (p->devpath) + 3); if (!p->open_path) { + grub_free (p->devpath); grub_free (p->grub_devpath); grub_free (p); return NULL; @@ -140,7 +148,7 @@ check_string_removable (const char *str) } static struct ofdisk_hash_ent * -ofdisk_hash_add (char *devpath, char *curcan) +ofdisk_hash_add (const char *devpath, const char *curcan) { struct ofdisk_hash_ent *p, *pcan; @@ -160,8 +168,6 @@ ofdisk_hash_add (char *devpath, char *curcan) pcan = ofdisk_hash_find (curcan); if (!pcan) pcan = ofdisk_hash_add_real (curcan); - else - grub_free (curcan); if (check_string_removable (devpath) || check_string_removable (curcan)) pcan->is_removable = 1; @@ -191,18 +197,7 @@ dev_iterate_real (const char *name, const char *path) op = ofdisk_hash_find (path); if (!op) - { - char *name_dup = grub_strdup (name); - char *can = grub_strdup (path); - if (!name_dup || !can) - { - grub_errno = GRUB_ERR_NONE; - grub_free (name_dup); - grub_free (can); - return; - } - op = ofdisk_hash_add (name_dup, can); - } + op = ofdisk_hash_add (name, path); return; } @@ -658,6 +653,7 @@ insert_bootpath (void) char *device = grub_ieee1275_get_devname (bootpath); op = ofdisk_hash_add (device, NULL); op->is_boot = 1; + grub_free (device); } grub_free (type); grub_free (bootpath); -- 1.7.1