[U-Boot] kwbimage use after free
Jonathan Gray
jsg at jsg.id.au
Sat Oct 22 06:47:42 CEST 2016
I didn't see a dedicated list to send bug reports so sending it here:
There is a use after free in kwbimage, found by building u-boot with the
use after free detection enabled with OpenBSD's malloc. When building
the clearfog target:
MKIMAGE u-boot-spl.kwb
Segmentation fault (core dumped)
kwbimage_generate -> image_version_file (alloc and free image_cfg global)
kwbimage_generate -> image_headersz_v1 -> image_count_options (image_cfg used)
It isn't clear to me if image_version_file should be inlined or another
approach taken, but as it stands it is clearly wrong.
The result of image_version_file is also never checked for -1 which multiple
paths in the function return.
More information about the U-Boot
mailing list