Message ID | 20240619212330.24842-1-semen.protsenko@linaro.org |
---|---|
State | Accepted |
Commit | 04c63f134cf268532f6e499aa2edb4f6f45ecefb |
Headers | show |
Series | cmd: gpt: Fix freeing gpt_pte in gpt_verify() | expand |
On Wed, 19 Jun 2024 16:23:30 -0500, Sam Protsenko wrote: > In case when either gpt_verify_headers() or gpt_verify_partitions() > fails, the memory allocated for gpt_pte will be freed in those functions > internally, but gpt_pte will still contain non-NULL dangling pointer. > The attempt to free it in those cases in gpt_verify() leads to "use > after free" error, which leads to a "Synchronous abort" exception. > > This issue was found by running the next command on the device with > incorrect partition table: > > [...] Applied to u-boot/next, thanks!
diff --git a/cmd/gpt.c b/cmd/gpt.c index 7aaf1889a5ac..98e1185014ed 100644 --- a/cmd/gpt.c +++ b/cmd/gpt.c @@ -683,7 +683,8 @@ static int gpt_verify(struct blk_desc *blk_dev_desc, const char *str_part) free(str_disk_guid); free(partitions); out: - free(gpt_pte); + if (!ret) + free(gpt_pte); return ret; }
In case when either gpt_verify_headers() or gpt_verify_partitions() fails, the memory allocated for gpt_pte will be freed in those functions internally, but gpt_pte will still contain non-NULL dangling pointer. The attempt to free it in those cases in gpt_verify() leads to "use after free" error, which leads to a "Synchronous abort" exception. This issue was found by running the next command on the device with incorrect partition table: => gpt verify mmc 0 $partitions which results to: No partition list provided - only basic check "Synchronous Abort" handler, esr 0x96000021, far 0xba247bff .... Fix the issue by only freeing gpt_pte if none of those functions failed. Fixes: bbb9ffac6066 ("gpt: command: Extend gpt command to support GPT table verification") Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org> --- cmd/gpt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)