From: Jordy <jordy@simplyhacker.com>
To: u-boot@lists.denx.de
Subject: Double free vulnerability in do_rename_gpt_parts
Date: Fri, 17 Jan 2020 12:23:31 -0500 (EST) [thread overview]
Message-ID: <776301811.195544.1579281811665@privateemail.com> (raw)
In-Reply-To: <20200117163149.GV8732@bill-the-cat>
Hey Tom,
The patch looks good to me, I do agree with simon that you'd have to initialize the pointers to 0, because uninitialized pointers could contain garbage, unless it's a global variable (those are automagically initialized to 0).
Btw I really appreciate the fast and friendly responses, I've seen that different at other software packages thumbs-up for that!
Best Regards,
Jordy
> On January 17, 2020 11:31 AM Tom Rini <trini@konsulko.com> wrote:
>
>
> On Fri, Jan 17, 2020 at 04:29:52PM +0100, Simon Goldschmidt wrote:
> > + Some contributors of this file
> >
> > On Fri, Jan 17, 2020 at 1:03 PM Jordy <jordy@simplyhacker.com> wrote:
> > >
> > > Hello U-Boot lists!
> > >
> > > I think I found a double free bug in U-Boot, in /cmp/gpt.c in the function do_rename_gpt_parts().
> > >
> > > On line 702 the partition_list is being free'd if ret is smaller than 0.
> > > If the return value is not -ENOMEM it will go to the out: label and free the partition_list again.
> >
> > Reading the code, I can confirm that. Funny enough, the code in question was
> > introduced by commit 18030d04 ("GPT: fix memory leaks identified by Coverity").
> > Although I think Coverity should have detected the resulting double-free...
> >
> > However, I'm not sure of the fix: the code just continues for -ENOMEM and then
> > goes on using partitions_list at line 757...
>
> So, Coverity later did complain about that change (but not immediately,
> funny enough). I posted http://patchwork.ozlabs.org/patch/1192036/ and
> was hoping for a review on it as it's complex enough I'd like to avoid
> adding a 3rd round of issues there. Thanks!
>
> --
> Tom
prev parent reply other threads:[~2020-01-17 17:23 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-17 12:03 Double free vulnerability in do_rename_gpt_parts Jordy
2020-01-17 15:29 ` Simon Goldschmidt
2020-01-17 16:31 ` Tom Rini
2020-01-17 16:42 ` Simon Goldschmidt
2020-01-17 17:23 ` Jordy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=776301811.195544.1579281811665@privateemail.com \
--to=jordy@simplyhacker.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.