[PATCH] tools: fwumdata: Fix use-after-free in parse_config()
Ilias Apalodimas
ilias.apalodimas at linaro.org
Tue Apr 28 11:43:33 CEST 2026
Hi Kory
On Tue, 7 Apr 2026 at 15:34, Kory Maincent <kory.maincent at bootlin.com> wrote:
>
> In parse_config(), devname is dynamically allocated by sscanf().
> When sscanf() fails to fill enough fields (rc < 3), devname is freed and
> the loop continues to the next line. However, if the next call to sscanf()
> fails to match (rc == 0), devname is not written and still holds the stale
> freed pointer. The subsequent free(devname) then operates on
> already-freed memory.
>
> Fix this by resetting devname to NULL before each sscanf() call, so
> that a non-matching call leaves a NULL pointer and the subsequent
> free() becomes a harmless no-op.
>
> Reported-by: Coverity Scan
> Link: https://lists.denx.de/pipermail/u-boot/2026-April/614161.html
> Signed-off-by: Kory Maincent <kory.maincent at bootlin.com>
> ---
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> tools/fwumdata_src/fwumdata.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/tools/fwumdata_src/fwumdata.c b/tools/fwumdata_src/fwumdata.c
> index c5b0f56842d..44195ce2bf2 100644
> --- a/tools/fwumdata_src/fwumdata.c
> +++ b/tools/fwumdata_src/fwumdata.c
> @@ -84,6 +84,7 @@ static int parse_config(const char *fname)
> if (line[0] == '#' || line[0] == '\n')
> continue;
>
> + devname = NULL;
> rc = sscanf(line, "%ms %lli %lx %lx",
> &devname,
> &devices[i].devoff,
> --
> 2.43.0
>
More information about the U-Boot
mailing list