From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1k0pUs-0005VG-Hz for mharc-grub-devel@gnu.org; Wed, 29 Jul 2020 13:04:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41754) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k0pUq-0005Rj-GP for grub-devel@gnu.org; Wed, 29 Jul 2020 13:04:04 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:44370) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k0pUo-0000wY-Gi for grub-devel@gnu.org; Wed, 29 Jul 2020 13:04:04 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 06TH1gfk037014; Wed, 29 Jul 2020 17:03:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2020-01-29; bh=U/XgRzzZs1FxCivYy6Q8weRkL7f+6s9CnT9bDYskJxs=; b=QkCxXjxsW4qu+JNAQeOa8Uqz8V1amSnAk+B+StGuq42kUds+9rYDZHwlTIZcLaiBtxMK AhVHSa19l+0bU7gy3eaUEA5YAAWCsKHvwuU1WDtr11cw+dqR0nERnWTdaoASI+EDmOaZ tKVumHPwsL+yQ5Q6MV453tQnH9OwLuUIhkTcwGtStVDzV1R+QDI+Az/OIqrmaVtr6j7X ST+PAlI1BL+i3UPHdbRNfelGWVGJqtFSs77ZOr9aqxgL0jkUta5YKuoo8WiHiv+AifZ0 MgMnLWYvgqdvwl89Mj8aIPs3H8tBvRJTVzV+oyFQcWpg+l9BQe499vtjW8TmR1C33sXv pA== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by userp2120.oracle.com with ESMTP id 32hu1jpv29-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 29 Jul 2020 17:03:52 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 06TGwVku033069; Wed, 29 Jul 2020 17:01:51 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserp3020.oracle.com with ESMTP id 32hu5xf8wt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 29 Jul 2020 17:01:51 +0000 Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id 06TH1nGs026403; Wed, 29 Jul 2020 17:01:50 GMT Received: from tomti.i.net-space.pl (/10.175.200.191) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 29 Jul 2020 10:01:49 -0700 From: Daniel Kiper To: grub-devel@gnu.org Cc: 93sam@debian.org, alexander.burmashev@oracle.com, amakhalov@vmware.com, chris.coulson@canonical.com, cjwatson@debian.org, cperry@redhat.com, darren.kenny@oracle.com, darren.moffat@oracle.com, dave.miner@oracle.com, degranit@microsoft.com, eric.snowberg@oracle.com, ilya.okomin@oracle.com, jan.setjeeilers@oracle.com, jerecox@microsoft.com, jesse@eclypsium.com, john.haxby@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, mbenatto@redhat.com, mickey@eclypsium.com, msrc57813grub@microsoft.com, phcoder@gmail.com, pjones@redhat.com, sajacobu@microsoft.com, todd.vierling@oracle.com, xnox@ubuntu.com Subject: [SECURITY PATCH 09/28] xnu: Fix double free in grub_xnu_devprop_add_property() Date: Wed, 29 Jul 2020 19:00:22 +0200 Message-Id: <20200729170041.14082-10-daniel.kiper@oracle.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20200729170041.14082-1-daniel.kiper@oracle.com> References: <20200729170041.14082-1-daniel.kiper@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9697 signatures=668679 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=3 adultscore=0 bulkscore=0 malwarescore=0 mlxscore=0 spamscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007290115 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9697 signatures=668679 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1015 mlxlogscore=999 malwarescore=0 impostorscore=0 priorityscore=1501 spamscore=0 phishscore=0 suspectscore=3 bulkscore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007290116 Received-SPF: pass client-ip=156.151.31.85; envelope-from=daniel.kiper@oracle.com; helo=userp2120.oracle.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/29 13:01:26 X-ACL-Warn: Detected OS = Linux 3.1-3.10 [fuzzy] X-Spam_score_int: -53 X-Spam_score: -5.4 X-Spam_bar: ----- X-Spam_report: (-5.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-1, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2020 17:04:04 -0000 From: Alexey Makhalov grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get allocated and freed in the caller. Minor improvement: do prop fields initialization after memory allocations. Fixes: CID 292442, CID 292457, CID 292460, CID 292466 Signed-off-by: Alexey Makhalov Reviewed-by: Daniel Kiper --- grub-core/loader/i386/xnu.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c index b7d176b5d..e9e119259 100644 --- a/grub-core/loader/i386/xnu.c +++ b/grub-core/loader/i386/xnu.c @@ -262,20 +262,19 @@ grub_xnu_devprop_add_property (struct grub_xnu_devprop_device_descriptor *dev, if (!prop) return grub_errno; + prop->data = grub_malloc (datalen); + if (!prop->data) + { + grub_free (prop); + return grub_errno; + } + grub_memcpy (prop->data, data, datalen); + prop->name = utf8; prop->name16 = utf16; prop->name16len = utf16len; - prop->length = datalen; - prop->data = grub_malloc (prop->length); - if (!prop->data) - { - grub_free (prop->name); - grub_free (prop->name16); - grub_free (prop); - return grub_errno; - } - grub_memcpy (prop->data, data, prop->length); + grub_list_push (GRUB_AS_LIST_P (&dev->properties), GRUB_AS_LIST (prop)); return GRUB_ERR_NONE; -- 2.11.0