[SECURITY PATCH 10/28] json: Avoid a double-free when parsing fails.

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY PATCH 10/28] json: Avoid a double-free when parsing fails.

From:	Daniel Kiper
Subject:	[SECURITY PATCH 10/28] json: Avoid a double-free when parsing fails.
Date:	Wed, 29 Jul 2020 19:00:23 +0200

From: Chris Coulson <chris.coulson@canonical.com>

When grub_json_parse() succeeds, it returns the root object which
contains a pointer to the provided JSON string. Callers are
responsible for ensuring that this string outlives the root
object and for freeing its memory when it's no longer needed.

If grub_json_parse() fails to parse the provided JSON string,
it frees the string before returning an error. This results
in a double free in luks2_recover_key(), which also frees the
same string after grub_json_parse() returns an error.

This changes grub_json_parse() to never free the JSON string
passed to it, and updates the documentation for it to make it
clear that callers are responsible for ensuring that the string
outlives the root JSON object.

Fixes: CID 292465

Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/lib/json/json.c | 9 +++------
 grub-core/lib/json/json.h | 5 ++++-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/grub-core/lib/json/json.c b/grub-core/lib/json/json.c
index 913b8f404..1c20c75ea 100644
--- a/grub-core/lib/json/json.c
+++ b/grub-core/lib/json/json.c
@@ -71,12 +71,9 @@ grub_json_parse (grub_json_t **out, char *string, 
grub_size_t string_len)
   *out = json;
 
  err:
-  if (ret && json)
-    {
-      grub_free (json->string);
-      grub_free (json->tokens);
-      grub_free (json);
-    }
+  if (ret)
+    grub_json_free (json);
+
   return ret;
 }
 
diff --git a/grub-core/lib/json/json.h b/grub-core/lib/json/json.h
index d9f99454d..01614f6df 100644
--- a/grub-core/lib/json/json.h
+++ b/grub-core/lib/json/json.h
@@ -50,7 +50,10 @@ typedef struct grub_json grub_json_t;
  * Parse a JSON-encoded string. Note that the string passed to
  * this function will get modified on subsequent calls to
  * grub_json_get*(). Returns the root object of the parsed JSON
- * object, which needs to be free'd via grub_json_free().
+ * object, which needs to be free'd via grub_json_free(). Callers
+ * must ensure that the string outlives the returned root object,
+ * and that child objects must not be used after the root object
+ * has been free'd.
  */
 extern grub_err_t EXPORT_FUNC(grub_json_parse) (grub_json_t **out,
                                                char *string,
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 02/28] safemath: Add some arithmetic primitives that check for overflow, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 03/28] calloc: Make sure we always have an overflow-checking calloc() available, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 04/28] calloc: Use calloc() at most places, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 01/28] yylex: Make lexer fatal errors actually be fatal, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 05/28] malloc: Use overflow checking primitives where we do complex allocations, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 06/28] iso9660: Don't leak memory on realloc() failures, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 07/28] font: Do not load more than one NAME section, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 08/28] gfxmenu: Fix double free in load_image(), Daniel Kiper, 2020/07/29
- [SECURITY PATCH 10/28] json: Avoid a double-free when parsing fails., Daniel Kiper <=
- [SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 12/28] term: Fix overflow on user inputs, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 13/28] udf: Fix memory leak, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 14/28] multiboot2: Fix memory leak if grub_create_loader_cmdline() fails, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 15/28] tftp: Do not use priority queue, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 18/28] script: Remove unused fields from grub_script_function struct, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 19/28] script: Avoid a use-after-free when redefining a function during execution, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 22/28] lvm: Fix two more potential data-dependent alloc overflows, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 23/28] emu: Make grub_free(NULL) safe, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 24/28] efi: Fix some malformed device path arithmetic errors, Daniel Kiper, 2020/07/29

Prev by Date: [SECURITY PATCH 08/28] gfxmenu: Fix double free in load_image()
Next by Date: [SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array
Previous by thread: [SECURITY PATCH 08/28] gfxmenu: Fix double free in load_image()
Next by thread: [SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array
Index(es):
- Date
- Thread