[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20251118180021.2890-3-daniel.kiper@oracle.com>
Date: Tue, 18 Nov 2025 19:00:15 +0100
From: Daniel Kiper <daniel.kiper@...cle.com>
To: grub-devel@....org, oss-security@...ts.openwall.com
Cc: alec.r.brown@...cle.com, glin@...e.com, mbenatto@...hat.com,
mchang@...e.com, meissner@...e.com, tf@...ay.de, volticks@...il.com
Subject: [SECURITY PATCH 2/8] kern/file: Call grub_dl_unref() after fs->fs_close()
From: Thomas Frauendorfer | Miray Software <tf@...ay.de>
With commit 16f196874 (kern/file: Implement filesystem reference
counting) files hold a reference to their file systems.
When closing a file in grub_file_close() we should not expect
file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
So, grub_dl_unref() should be called after file->fs->fs_close().
Fixes: CVE-2025-54771
Fixes: 16f196874 (kern/file: Implement filesystem reference counting)
Reported-by: Thomas Frauendorfer | Miray Software <tf@...ay.de>
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@...ay.de>
Reviewed-by: Daniel Kiper <daniel.kiper@...cle.com>
---
grub-core/kern/file.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
index 6e7efe89a..eb52fd25f 100644
--- a/grub-core/kern/file.c
+++ b/grub-core/kern/file.c
@@ -201,12 +201,12 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)
grub_err_t
grub_file_close (grub_file_t file)
{
- if (file->fs->mod)
- grub_dl_unref (file->fs->mod);
-
if (file->fs->fs_close)
(file->fs->fs_close) (file);
+ if (file->fs->mod)
+ grub_dl_unref (file->fs->mod);
+
if (file->device)
grub_device_close (file->device);
grub_free (file->name);
--
2.11.0
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
