From: Rafał Wojdyła Date: Thu, 7 Mar 2024 10:19:01 +0000 (+0100) Subject: Fix double-free on error condition in GnttabPermitForeignAccess() X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=1019522273c7080d73885e38e972092df4fcce0f;p=pvdrivers%2Fwin%2Fxeniface.git Fix double-free on error condition in GnttabPermitForeignAccess() XENIFACE_GNTTAB_CONTEXT associated with the request was incorrectly freed by GnttabPermitForeignAccess() when a failure occured. The context is also freed by the parent function, IoctlGnttabPermitForeignAccess(), which led to a double-free and kernel heap corruption. GnttabStopSharing() as the final step in the failure path takes care of cleaning up the contents of the (possibly partially initialized) context. Signed-off-by: Rafał Wojdyła Reviewed-by: Owen Smith --- diff --git a/src/xeniface/ioctl_gnttab.c b/src/xeniface/ioctl_gnttab.c index 8ab2099..026f29b 100644 --- a/src/xeniface/ioctl_gnttab.c +++ b/src/xeniface/ioctl_gnttab.c @@ -304,12 +304,6 @@ fail2: fail1: Error("Fail1\n"); GnttabStopSharing(Fdo, Context, Page); - - if (Context != NULL) { - RtlZeroMemory(Context, sizeof(*Context)); - __FreePoolWithTag(Context, XENIFACE_POOL_TAG); - } - return Status; }