From: Jordy <jordy@simplyhacker.com>
To: u-boot@lists.denx.de
Subject: Double free vulnerability in do_rename_gpt_parts
Date: Fri, 17 Jan 2020 12:23:31 -0500 (EST) [thread overview]
Message-ID: <776301811.195544.1579281811665@privateemail.com> (raw)
In-Reply-To: <20200117163149.GV8732@bill-the-cat>
Hey Tom,
The patch looks good to me, I do agree with simon that you'd have to initialize the pointers to 0, because uninitialized pointers could contain garbage, unless it's a global variable (those are automagically initialized to 0).
Btw I really appreciate the fast and friendly responses, I've seen that different at other software packages thumbs-up for that!
Best Regards,
Jordy
> On January 17, 2020 11:31 AM Tom Rini <trini@konsulko.com> wrote:
>
>
> On Fri, Jan 17, 2020 at 04:29:52PM +0100, Simon Goldschmidt wrote:
> > + Some contributors of this file
> >
> > On Fri, Jan 17, 2020 at 1:03 PM Jordy <jordy@simplyhacker.com> wrote:
> > >
> > > Hello U-Boot lists!
> > >
> > > I think I found a double free bug in U-Boot, in /cmp/gpt.c in the function do_rename_gpt_parts().
> > >
> > > On line 702 the partition_list is being free'd if ret is smaller than 0.
> > > If the return value is not -ENOMEM it will go to the out: label and free the partition_list again.
> >
> > Reading the code, I can confirm that. Funny enough, the code in question was
> > introduced by commit 18030d04 ("GPT: fix memory leaks identified by Coverity").
> > Although I think Coverity should have detected the resulting double-free...
> >
> > However, I'm not sure of the fix: the code just continues for -ENOMEM and then
> > goes on using partitions_list at line 757...
>
> So, Coverity later did complain about that change (but not immediately,
> funny enough). I posted http://patchwork.ozlabs.org/patch/1192036/ and
> was hoping for a review on it as it's complex enough I'd like to avoid
> adding a 3rd round of issues there. Thanks!
>
> --
> Tom
prev parent reply other threads:[~2020-01-17 17:23 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-17 12:03 Double free vulnerability in do_rename_gpt_parts Jordy
2020-01-17 15:29 ` Simon Goldschmidt
2020-01-17 16:31 ` Tom Rini
2020-01-17 16:42 ` Simon Goldschmidt
2020-01-17 17:23 ` Jordy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=776301811.195544.1579281811665@privateemail.com \
--to=jordy@simplyhacker.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox