Double free vulnerability in do_rename_gpt_parts

Tom Rini trini at konsulko.com
Fri Jan 17 17:31:49 CET 2020


On Fri, Jan 17, 2020 at 04:29:52PM +0100, Simon Goldschmidt wrote:
> + Some contributors of this file
> 
> On Fri, Jan 17, 2020 at 1:03 PM Jordy <jordy at simplyhacker.com> wrote:
> >
> > Hello U-Boot lists!
> >
> > I think I found a double free bug in U-Boot, in /cmp/gpt.c in the function do_rename_gpt_parts().
> >
> > On line 702 the partition_list is being free'd if ret is smaller than 0.
> > If the return value is not -ENOMEM it will go to the out: label and free the partition_list again.
> 
> Reading the code, I can confirm that. Funny enough, the code in question was
> introduced by commit 18030d04 ("GPT: fix memory leaks identified by Coverity").
> Although I think Coverity should have detected the resulting double-free...
> 
> However, I'm not sure of the fix: the code just continues for -ENOMEM and then
> goes on using partitions_list at line 757...

So, Coverity later did complain about that change (but not immediately,
funny enough).  I posted http://patchwork.ozlabs.org/patch/1192036/ and
was hoping for a review on it as it's complex enough I'd like to avoid
adding a 3rd round of issues there.  Thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200117/a3bd537a/attachment.sig>


More information about the U-Boot mailing list