* Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload")
@ 2021-10-12 8:07 Jincheng Wang
2021-10-14 17:46 ` Tom Rini
0 siblings, 1 reply; 3+ messages in thread
From: Jincheng Wang @ 2021-10-12 8:07 UTC (permalink / raw)
To: u-boot
Hello U-Boot lists!
I had been doing a fuzz testing in U-Boot .
There is a double free bug in U-Boot, in /fs/squashfs/sqfs.c in the
function sqfs_tokenize( ).
On the line 307, tokens[i] is being freed and the ret is being set -ENOMEM,
it will go to the out: label and free tokens[i] again (just like
CVE-2020-8432, double free in do_rename_gpt_parts() ).
Here is a sample command cause to crash in sandbox environment:
host bind 0 test.sqsh
sqfsls host 0 1//3
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload")
2021-10-12 8:07 Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload") Jincheng Wang
@ 2021-10-14 17:46 ` Tom Rini
2021-10-15 9:05 ` Jincheng Wang
0 siblings, 1 reply; 3+ messages in thread
From: Tom Rini @ 2021-10-14 17:46 UTC (permalink / raw)
To: Jincheng Wang; +Cc: u-boot
[-- Attachment #1: Type: text/plain, Size: 711 bytes --]
On Tue, Oct 12, 2021 at 04:07:43PM +0800, Jincheng Wang wrote:
> Hello U-Boot lists!
> I had been doing a fuzz testing in U-Boot .
> There is a double free bug in U-Boot, in /fs/squashfs/sqfs.c in the
> function sqfs_tokenize( ).
> On the line 307, tokens[i] is being freed and the ret is being set -ENOMEM,
> it will go to the out: label and free tokens[i] again (just like
> CVE-2020-8432, double free in do_rename_gpt_parts() ).
> Here is a sample command cause to crash in sandbox environment:
> host bind 0 test.sqsh
> sqfsls host 0 1//3
Thanks! Can you please submit a fix for this as a patch, as well as
updating the existing sqfs tests to have this as an example?
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload")
2021-10-14 17:46 ` Tom Rini
@ 2021-10-15 9:05 ` Jincheng Wang
0 siblings, 0 replies; 3+ messages in thread
From: Jincheng Wang @ 2021-10-15 9:05 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot
Yes, I will submit a patch to fix the bug.
Regards,
Jincheng
Tom Rini <trini@konsulko.com> 于2021年10月15日周五 上午1:46写道:
> On Tue, Oct 12, 2021 at 04:07:43PM +0800, Jincheng Wang wrote:
>
> > Hello U-Boot lists!
> > I had been doing a fuzz testing in U-Boot .
> > There is a double free bug in U-Boot, in /fs/squashfs/sqfs.c in the
> > function sqfs_tokenize( ).
> > On the line 307, tokens[i] is being freed and the ret is being set
> -ENOMEM,
> > it will go to the out: label and free tokens[i] again (just like
> > CVE-2020-8432, double free in do_rename_gpt_parts() ).
> > Here is a sample command cause to crash in sandbox environment:
> > host bind 0 test.sqsh
> > sqfsls host 0 1//3
>
> Thanks! Can you please submit a fix for this as a patch, as well as
> updating the existing sqfs tests to have this as an example?
>
> --
> Tom
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-15 9:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-12 8:07 Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload") Jincheng Wang
2021-10-14 17:46 ` Tom Rini
2021-10-15 9:05 ` Jincheng Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox