2 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
new file mode 100644
index 0000000000..f9ad0fc34c
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
@@ -0,0 +1,77 @@
+From 81117a77a9e945ee5e7c1f12bd5667e2a16cbe32 Mon Sep 17 00:00:00 2001
+From: Marco A Benatto <mbenatto@redhat.com>
+Date: Mon, 30 Nov 2020 12:18:24 -0300
+Subject: [PATCH] loader/xnu: Free driverkey data when an error is detected in
+ grub_xnu_writetree_toheap()
+... to avoid memory leaks.
+Fixes: CID 96640
+Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4b4027b6b1c877d7ab467896b04c7bd1aadcfa15]
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/xnu.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index b3029a8..39ceff8 100644
+--- a/grub-core/loader/xnu.c
+++ b/grub-core/loader/xnu.c
+@@ -224,26 +224,33 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
+   if (! memorymap)
+     return grub_errno;
+ 
+-  driverkey = (struct grub_xnu_devtree_key *) grub_malloc (sizeof (*driverkey));
+  driverkey = (struct grub_xnu_devtree_key *) grub_zalloc (sizeof (*driverkey));
+   if (! driverkey)
+     return grub_errno;
+   driverkey->name = grub_strdup ("DeviceTree");
+   if (! driverkey->name)
+-    return grub_errno;
+    {
+      err = grub_errno;
+      goto fail;
+    }
+
+   driverkey->datasize = sizeof (*extdesc);
+   driverkey->next = memorymap->first_child;
+   memorymap->first_child = driverkey;
+   driverkey->data = extdesc
+     = (struct grub_xnu_extdesc *) grub_malloc (sizeof (*extdesc));
+   if (! driverkey->data)
+-    return grub_errno;
+    {
+      err = grub_errno;
+      goto fail;
+    }
+ 
+   /* Allocate the space based on the size with dummy value. */
+   *size = grub_xnu_writetree_get_size (grub_xnu_devtree_root, "/");
+   err = grub_xnu_heap_malloc (ALIGN_UP (*size + 1, GRUB_XNU_PAGESIZE),
+                              &src, target);
+   if (err)
+-    return err;
+    goto fail;
+ 
+   /* Put real data in the dummy. */
+   extdesc->addr = *target;
+@@ -252,6 +259,15 @@ grub_xnu_writetree_toheap (grub_addr_t *target, grub_size_t *size)
+   /* Write the tree to heap. */
+   grub_xnu_writetree_toheap_real (src, grub_xnu_devtree_root, "/");
+   return GRUB_ERR_NONE;
+
+ fail:
+  memorymap->first_child = NULL;
+
+  grub_free (driverkey->data);
+  grub_free (driverkey->name);
+  grub_free (driverkey);
+
+  return err;
+ }
+ 
+ /* Find a key or value in parent key. */
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index c9e7a06a3f..eebe9a7233 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -85,6 +85,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch \
           file://0037-loader-bsd-Check-for-NULL-arg-up-front.patch \
           file://0038-loader-xnu-Fix-memory-leak.patch \
+           file://0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch \
           "
 SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
 SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"

diff --git a/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch new file mode 100644 index 0000000000..f9ad0fc34c --- /dev/null +++ b/meta/recipes-bsp/grub/files/0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch
@@ -0,0 +1,77 @@
		1	From 81117a77a9e945ee5e7c1f12bd5667e2a16cbe32 Mon Sep 17 00:00:00 2001
		2	From: Marco A Benatto <mbenatto@redhat.com>
		3	Date: Mon, 30 Nov 2020 12:18:24 -0300
		4	Subject: [PATCH] loader/xnu: Free driverkey data when an error is detected in
		5	grub_xnu_writetree_toheap()
		6
		7	... to avoid memory leaks.
		8
		9	Fixes: CID 96640
		10
		11	Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
		12	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
		13
		14	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=4b4027b6b1c877d7ab467896b04c7bd1aadcfa15]
		15	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
		16	---
		17	grub-core/loader/xnu.c \| 24 ++++++++++++++++++++----
		18	1 file changed, 20 insertions(+), 4 deletions(-)
		19
		20	diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
		21	index b3029a8..39ceff8 100644
		22	--- a/grub-core/loader/xnu.c
		23	+++ b/grub-core/loader/xnu.c
		24	@@ -224,26 +224,33 @@ grub_xnu_writetree_toheap (grub_addr_t target, grub_size_t size)
		25	if (! memorymap)
		26	return grub_errno;
		27
		28	- driverkey = (struct grub_xnu_devtree_key ) grub_malloc (sizeof (driverkey));
		29	+ driverkey = (struct grub_xnu_devtree_key ) grub_zalloc (sizeof (driverkey));
		30	if (! driverkey)
		31	return grub_errno;
		32	driverkey->name = grub_strdup ("DeviceTree");
		33	if (! driverkey->name)
		34	- return grub_errno;
		35	+ {
		36	+ err = grub_errno;
		37	+ goto fail;
		38	+ }
		39	+
		40	driverkey->datasize = sizeof (*extdesc);
		41	driverkey->next = memorymap->first_child;
		42	memorymap->first_child = driverkey;
		43	driverkey->data = extdesc
		44	= (struct grub_xnu_extdesc ) grub_malloc (sizeof (extdesc));
		45	if (! driverkey->data)
		46	- return grub_errno;
		47	+ {
		48	+ err = grub_errno;
		49	+ goto fail;
		50	+ }
		51
		52	/* Allocate the space based on the size with dummy value. */
		53	*size = grub_xnu_writetree_get_size (grub_xnu_devtree_root, "/");
		54	err = grub_xnu_heap_malloc (ALIGN_UP (*size + 1, GRUB_XNU_PAGESIZE),
		55	&src, target);
		56	if (err)
		57	- return err;
		58	+ goto fail;
		59
		60	/* Put real data in the dummy. */
		61	extdesc->addr = *target;
		62	@@ -252,6 +259,15 @@ grub_xnu_writetree_toheap (grub_addr_t target, grub_size_t size)
		63	/* Write the tree to heap. */
		64	grub_xnu_writetree_toheap_real (src, grub_xnu_devtree_root, "/");
		65	return GRUB_ERR_NONE;
		66	+
		67	+ fail:
		68	+ memorymap->first_child = NULL;
		69	+
		70	+ grub_free (driverkey->data);
		71	+ grub_free (driverkey->name);
		72	+ grub_free (driverkey);
		73	+
		74	+ return err;
		75	}
		76
		77	/* Find a key or value in parent key. */


diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index c9e7a06a3f..eebe9a7233 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc
@@ -85,6 +85,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
85	file://0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch \	85	file://0036-gfxmenu-gui_list-Remove-code-that-coverity-is-flaggi.patch \
86	file://0037-loader-bsd-Check-for-NULL-arg-up-front.patch \	86	file://0037-loader-bsd-Check-for-NULL-arg-up-front.patch \
87	file://0038-loader-xnu-Fix-memory-leak.patch \	87	file://0038-loader-xnu-Fix-memory-leak.patch \
		88	file://0039-loader-xnu-Free-driverkey-data-when-an-error-is-dete.patch \
88	"	89	"
89	SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"	90	SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
90	SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"	91	SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"