Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload")

Jincheng Wang jc.w4ng at gmail.com
Tue Oct 12 10:07:43 CEST 2021


Hello U-Boot lists!
I had been doing a fuzz testing in U-Boot .
There is a double free bug in U-Boot, in /fs/squashfs/sqfs.c in the
function sqfs_tokenize( ).
On the line 307, tokens[i] is being freed and the ret is being set -ENOMEM,
it will go to the out: label and free tokens[i] again (just like
CVE-2020-8432, double free in do_rename_gpt_parts() ).
Here is  a sample command cause to crash in sandbox environment:
    host bind 0 test.sqsh
    sqfsls host 0 1//3


More information about the U-Boot mailing list