c78952
From bf59d76ca82eb4eaa20a747f5890d09632ba93d0 Mon Sep 17 00:00:00 2001
f4c76c
From: Matthew Garrett <mjg59@coreos.com>
f4c76c
Date: Tue, 14 Jul 2015 16:58:51 -0700
c78952
Subject: [PATCH 148/229] Fix race in EFI validation
f4c76c
f4c76c
---
f4c76c
 grub-core/loader/i386/efi/linux.c | 44 ++++++++++-----------------------------
f4c76c
 1 file changed, 11 insertions(+), 33 deletions(-)
f4c76c
f4c76c
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
ec4acb
index e5b778577f9..7ccf32d9d45 100644
f4c76c
--- a/grub-core/loader/i386/efi/linux.c
f4c76c
+++ b/grub-core/loader/i386/efi/linux.c
f4c76c
@@ -154,7 +154,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
f4c76c
   grub_file_t file = 0;
f4c76c
   struct linux_kernel_header lh;
f4c76c
   grub_ssize_t len, start, filelen;
f4c76c
-  void *kernel;
f4c76c
+  void *kernel = NULL;
f4c76c
 
f4c76c
   grub_dl_ref (my_mod);
f4c76c
 
f4c76c
@@ -191,10 +191,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
f4c76c
       goto fail;
f4c76c
     }
f4c76c
 
f4c76c
-  grub_file_seek (file, 0);
f4c76c
-
f4c76c
-  grub_free(kernel);
f4c76c
-
f4c76c
   params = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(16384));
f4c76c
 
f4c76c
   if (! params)
f4c76c
@@ -203,15 +199,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
f4c76c
       goto fail;
f4c76c
     }
f4c76c
 
f4c76c
-  memset (params, 0, 16384);
f4c76c
+  grub_memset (params, 0, 16384);
f4c76c
 
f4c76c
-  if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
f4c76c
-    {
f4c76c
-      if (!grub_errno)
f4c76c
-	grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
f4c76c
-		    argv[0]);
f4c76c
-      goto fail;
f4c76c
-    }
f4c76c
+  grub_memcpy (&lh, kernel, sizeof (lh));
f4c76c
 
f4c76c
   if (lh.boot_flag != grub_cpu_to_le16 (0xaa55))
f4c76c
     {
f4c76c
@@ -271,27 +261,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
f4c76c
       goto fail;
f4c76c
     }
f4c76c
 
f4c76c
-  if (grub_file_seek (file, start) == (grub_off_t) -1)
f4c76c
-    {
f4c76c
-      grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
f4c76c
-		  argv[0]);
f4c76c
-      goto fail;
f4c76c
-    }
f4c76c
+  grub_memcpy (kernel_mem, (char *)kernel + start, len);
f4c76c
+  grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0);
f4c76c
+  loaded=1;
f4c76c
 
f4c76c
-  if (grub_file_read (file, kernel_mem, len) != len && !grub_errno)
f4c76c
-    {
f4c76c
-      grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
f4c76c
-		  argv[0]);
f4c76c
-    }
f4c76c
-
f4c76c
-  if (grub_errno == GRUB_ERR_NONE)
f4c76c
-    {
f4c76c
-      grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0);
f4c76c
-      loaded = 1;
f4c76c
-      lh.code32_start = (grub_uint32_t)(grub_uint64_t) kernel_mem;
f4c76c
-    }
f4c76c
-
f4c76c
-  memcpy(params, &lh, 2 * 512);
f4c76c
+  lh.code32_start = (grub_uint32_t)(grub_uint64_t) kernel_mem;
f4c76c
+  grub_memcpy (params, &lh, 2 * 512);
f4c76c
 
f4c76c
   params->type_of_loader = 0x21;
f4c76c
 
f4c76c
@@ -300,6 +275,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
f4c76c
   if (file)
f4c76c
     grub_file_close (file);
f4c76c
 
f4c76c
+  if (kernel)
f4c76c
+    grub_free (kernel);
f4c76c
+
f4c76c
   if (grub_errno != GRUB_ERR_NONE)
f4c76c
     {
f4c76c
       grub_dl_unref (my_mod);
f4c76c
-- 
ec4acb
2.15.0
f4c76c