1From 6aee4bfd6973c714056fb7b56890b8d524e94ee1 Mon Sep 17 00:00:00 2001 2From: Darren Kenny <darren.kenny@oracle.com> 3Date: Fri, 11 Dec 2020 15:03:13 +0000 4Subject: [PATCH] kern/efi/mm: Fix possible NULL pointer dereference 5 6The model of grub_efi_get_memory_map() is that if memory_map is NULL, 7then the purpose is to discover how much memory should be allocated to 8it for the subsequent call. 9 10The problem here is that with grub_efi_is_finished set to 1, there is no 11check at all that the function is being called with a non-NULL memory_map. 12 13While this MAY be true, we shouldn't assume it. 14 15The solution to this is to behave as expected, and if memory_map is NULL, 16then don't try to use it and allow memory_map_size to be filled in, and 17return 0 as is done later in the code if the buffer is too small (or NULL). 18 19Additionally, drop unneeded ret = 1. 20 21Fixes: CID 96632 22 23Signed-off-by: Darren Kenny <darren.kenny@oracle.com> 24Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 25Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 26--- 27 grub-core/kern/efi/mm.c | 19 ++++++++++++++----- 28 1 file changed, 14 insertions(+), 5 deletions(-) 29 30diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c 31index b02fab1..5afcef7 100644 32--- a/grub-core/kern/efi/mm.c 33+++ b/grub-core/kern/efi/mm.c 34@@ -328,15 +328,24 @@ grub_efi_get_memory_map (grub_efi_uintn_t *memory_map_size, 35 if (grub_efi_is_finished) 36 { 37 int ret = 1; 38- if (*memory_map_size < finish_mmap_size) 39+ 40+ if (memory_map != NULL) 41 { 42- grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size); 43- ret = 0; 44+ if (*memory_map_size < finish_mmap_size) 45+ { 46+ grub_memcpy (memory_map, finish_mmap_buf, *memory_map_size); 47+ ret = 0; 48+ } 49+ else 50+ grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size); 51 } 52 else 53 { 54- grub_memcpy (memory_map, finish_mmap_buf, finish_mmap_size); 55- ret = 1; 56+ /* 57+ * Incomplete, no buffer to copy into, same as 58+ * GRUB_EFI_BUFFER_TOO_SMALL below. 59+ */ 60+ ret = 0; 61 } 62 *memory_map_size = finish_mmap_size; 63 if (map_key) 64-- 652.14.2 66 67