diff mbox series

cmd: gpt: Fix freeing gpt_pte in gpt_verify()

Message ID 20240619212330.24842-1-semen.protsenko@linaro.org
State Accepted
Commit 04c63f134cf268532f6e499aa2edb4f6f45ecefb
Headers show
Series cmd: gpt: Fix freeing gpt_pte in gpt_verify() | expand

Commit Message

Sam Protsenko June 19, 2024, 9:23 p.m. UTC
In case when either gpt_verify_headers() or gpt_verify_partitions()
fails, the memory allocated for gpt_pte will be freed in those functions
internally, but gpt_pte will still contain non-NULL dangling pointer.
The attempt to free it in those cases in gpt_verify() leads to "use
after free" error, which leads to a "Synchronous abort" exception.

This issue was found by running the next command on the device with
incorrect partition table:

    => gpt verify mmc 0 $partitions

which results to:

    No partition list provided - only basic check
    "Synchronous Abort" handler, esr 0x96000021, far 0xba247bff
    ....

Fix the issue by only freeing gpt_pte if none of those functions failed.

Fixes: bbb9ffac6066 ("gpt: command: Extend gpt command to support GPT table verification")
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
---
 cmd/gpt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Tom Rini June 28, 2024, 7:49 p.m. UTC | #1
On Wed, 19 Jun 2024 16:23:30 -0500, Sam Protsenko wrote:

> In case when either gpt_verify_headers() or gpt_verify_partitions()
> fails, the memory allocated for gpt_pte will be freed in those functions
> internally, but gpt_pte will still contain non-NULL dangling pointer.
> The attempt to free it in those cases in gpt_verify() leads to "use
> after free" error, which leads to a "Synchronous abort" exception.
> 
> This issue was found by running the next command on the device with
> incorrect partition table:
> 
> [...]

Applied to u-boot/next, thanks!
diff mbox series

Patch

diff --git a/cmd/gpt.c b/cmd/gpt.c
index 7aaf1889a5ac..98e1185014ed 100644
--- a/cmd/gpt.c
+++ b/cmd/gpt.c
@@ -683,7 +683,8 @@  static int gpt_verify(struct blk_desc *blk_dev_desc, const char *str_part)
 	free(str_disk_guid);
 	free(partitions);
  out:
-	free(gpt_pte);
+	if (!ret)
+		free(gpt_pte);
 	return ret;
 }