gazillon of double-free

All of lore.kernel.org
 help / color / mirror / Atom feed

* gazillon of double-free
@ 2010-09-08 23:20 Robert Millan
  2010-09-08 23:44 ` Vladimir 'φ-coder/phcoder' Serbinenko
  2010-09-14 19:42 ` Colin D Bennett
  0 siblings, 2 replies; 3+ messages in thread
From: Robert Millan @ 2010-09-08 23:20 UTC (permalink / raw)
  To: The development of GNU GRUB

It seems we have a ton of double-free bugs in label() and
uuid() routines.

Take for example grub_ext2_label():

  data = grub_ext2_mount (disk);
  if (data)
    *label = grub_strndup (data->sblock.volume_name, 14);
  else
    *label = NULL;
  grub_free (data);

If grub_ext2_mount fails, data is not allocated but we free it anyway.

Or perhaps I'm missing something? (it's late here, I need some sleep)

-- 
Robert Millan

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: gazillon of double-free
  2010-09-08 23:20 gazillon of double-free Robert Millan
@ 2010-09-08 23:44 ` Vladimir 'φ-coder/phcoder' Serbinenko
  2010-09-14 19:42 ` Colin D Bennett
  1 sibling, 0 replies; 3+ messages in thread
From: Vladimir 'φ-coder/phcoder' Serbinenko @ 2010-09-08 23:44 UTC (permalink / raw)
  To: grub-devel

On 09/09/10 01:20, Robert Millan wrote:
> It seems we have a ton of double-free bugs in label() and
> uuid() routines.
>
> Take for example grub_ext2_label():
>
>    data = grub_ext2_mount (disk);
>    if (data)
>      *label = grub_strndup (data->sblock.volume_name, 14);
>    else
>      *label = NULL;
>    grub_free (data);
>
> If grub_ext2_mount fails, data is not allocated but we free it anyway.
>
> Or perhaps I'm missing something? (it's late here, I need some sleep)
>
>    
grub_free (NULL) is a no-op on purpose:
/* Deallocate the pointer PTR.  */
void
grub_free (void *ptr)
{
   grub_mm_header_t p;
   grub_mm_region_t r;

   if (! ptr)
     return;



-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: gazillon of double-free
  2010-09-08 23:20 gazillon of double-free Robert Millan
  2010-09-08 23:44 ` Vladimir 'φ-coder/phcoder' Serbinenko
@ 2010-09-14 19:42 ` Colin D Bennett
  1 sibling, 0 replies; 3+ messages in thread
From: Colin D Bennett @ 2010-09-14 19:42 UTC (permalink / raw)
  To: grub-devel

On Thu, 9 Sep 2010 01:20:40 +0200
Robert Millan <rmh@gnu.org> wrote:

> It seems we have a ton of double-free bugs in label() and
> uuid() routines.
> 
> Take for example grub_ext2_label():
> 
>   data = grub_ext2_mount (disk);
>   if (data)
>     *label = grub_strndup (data->sblock.volume_name, 14);
>   else
>     *label = NULL;
>   grub_free (data);

It is important to distinguish between double-free and free(NULL).
As Vladimir points out, free(NULL) is of course OK, but 
"free(p); free(p);",  where p != NULL, is a double-free and is wrong.

Regards,
Colin


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-09-14 19:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-08 23:20 gazillon of double-free Robert Millan
2010-09-08 23:44 ` Vladimir 'φ-coder/phcoder' Serbinenko
2010-09-14 19:42 ` Colin D Bennett

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.