Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload")
Jincheng Wang
jc.w4ng at gmail.com
Fri Oct 15 11:05:08 CEST 2021
Yes, I will submit a patch to fix the bug.
Regards,
Jincheng
Tom Rini <trini at konsulko.com> 于2021年10月15日周五 上午1:46写道:
> On Tue, Oct 12, 2021 at 04:07:43PM +0800, Jincheng Wang wrote:
>
> > Hello U-Boot lists!
> > I had been doing a fuzz testing in U-Boot .
> > There is a double free bug in U-Boot, in /fs/squashfs/sqfs.c in the
> > function sqfs_tokenize( ).
> > On the line 307, tokens[i] is being freed and the ret is being set
> -ENOMEM,
> > it will go to the out: label and free tokens[i] again (just like
> > CVE-2020-8432, double free in do_rename_gpt_parts() ).
> > Here is a sample command cause to crash in sandbox environment:
> > host bind 0 test.sqsh
> > sqfsls host 0 1//3
>
> Thanks! Can you please submit a fix for this as a patch, as well as
> updating the existing sqfs tests to have this as an example?
>
> --
> Tom
>
More information about the U-Boot
mailing list