Skip to content

Fix double free and leak in the loader protocol #769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vathpela merged 2 commits into from
Aug 13, 2025
Merged

Fix double free and leak in the loader protocol #769

vathpela merged 2 commits into from
Aug 13, 2025

Conversation

@rosslagerwall
Copy link
Contributor

@rosslagerwall rosslagerwall commented Aug 5, 2025

No description provided.

@rosslagerwall
loader-protocol: Handle UnloadImage after StartImage properly
2fb8f9e 
If the EFI application exits, Shim will uninstall the protocols and then
free the image. If something (e.g. GRUB) calls UnloadImage at this
point, there is a double free because HandleProtocol() returns
EFI_INVALID_PARAMETER and then Shim frees the image again.
HandleProtocol() returns EFI_INVALID_PARAMETER because the handle is
automatically freed when all protocols are uninstalled.

Be robust against this and other errors by only freeing the image if
HandleProtocol() returns EFI_SUCCESS.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
@rosslagerwall
loader-protocol: Fix memory leaks
97ee9bb 
This may happen if the image is loaded and then unloaded without calling
StartImage().

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
@vathpela
Copy link
Member

vathpela commented Aug 5, 2025

Sorry about the noise with the checks; @bluca and I were working on it when your PR landed.

bluca
bluca reviewed Aug 5, 2025
View reviewed changes
loader-proto.c
else if (efi_status != EFI_SUCCESS)
return efi_status;

flush_cached_sections(ImageHandle);
Copy link
Contributor

@bluca bluca Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't we need to flush the cached sections in either case here?

Copy link
Contributor Author

@rosslagerwall rosslagerwall Aug 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. If we hit the else if (efi_status != EFI_SUCCESS) case, either:

  • We were passed a previously valid handle that was freed by the UninstallMultipleProtocolInterfaces() call on line 389. In that case we have already called flush_cached_sections() on the handle (line 383) so nothing to do here.
  • We were passed NULL, garbage or an unknown handle, in which case we shouldn't call flush_cached_sections() on the handle.

@vathpela vathpela merged commit 6a1d1a9 into rhboot:main Aug 13, 2025
71 of 80 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@bluca bluca bluca left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rosslagerwall @vathpela @bluca