Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload")

Tom Rini trini at
Thu Oct 14 19:46:47 CEST 2021

On Tue, Oct 12, 2021 at 04:07:43PM +0800, Jincheng Wang wrote:

> Hello U-Boot lists!
> I had been doing a fuzz testing in U-Boot .
> There is a double free bug in U-Boot, in /fs/squashfs/sqfs.c in the
> function sqfs_tokenize( ).
> On the line 307, tokens[i] is being freed and the ret is being set -ENOMEM,
> it will go to the out: label and free tokens[i] again (just like
> CVE-2020-8432, double free in do_rename_gpt_parts() ).
> Here is  a sample command cause to crash in sandbox environment:
>     host bind 0 test.sqsh
>     sqfsls host 0 1//3

Thanks!  Can you please submit a fix for this as a patch, as well as
updating the existing sqfs tests to have this as an example?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <>

More information about the U-Boot mailing list