From: Thomas Frauendorfer | Miray Software <[email protected]> With commit 16f196874 (kern/file: Implement filesystem reference counting) files hold a reference to their file systems.
When closing a file in grub_file_close() we should not expect file->fs to stay valid after calling grub_dl_unref() on file->fs->mod. So, grub_dl_unref() should be called after file->fs->fs_close(). Fixes: CVE-2025-54771 Fixes: 16f196874 (kern/file: Implement filesystem reference counting) Reported-by: Thomas Frauendorfer | Miray Software <[email protected]> Signed-off-by: Thomas Frauendorfer | Miray Software <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> --- grub-core/kern/file.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c index 6e7efe89a..eb52fd25f 100644 --- a/grub-core/kern/file.c +++ b/grub-core/kern/file.c @@ -201,12 +201,12 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len) grub_err_t grub_file_close (grub_file_t file) { - if (file->fs->mod) - grub_dl_unref (file->fs->mod); - if (file->fs->fs_close) (file->fs->fs_close) (file); + if (file->fs->mod) + grub_dl_unref (file->fs->mod); + if (file->device) grub_device_close (file->device); grub_free (file->name); -- 2.11.0 _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
