[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt
|
From: |
Markus Armbruster |
|
Subject: |
Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt |
|
Date: |
Fri, 29 Nov 2019 15:03:02 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) |
Vladimir Sementsov-Ogievskiy <address@hidden> writes:
> fit_load_fdt forget to check that errp is not NULL and to zero it after
> freeing. Fix it.
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>
> Reviewed-by: Eric Blake <address@hidden>
> ---
> hw/core/loader-fit.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/hw/core/loader-fit.c b/hw/core/loader-fit.c
> index 953b16bc82..3ee9fb2f2e 100644
> --- a/hw/core/loader-fit.c
> +++ b/hw/core/loader-fit.c
> @@ -200,7 +200,10 @@ static int fit_load_fdt(const struct fit_loader *ldr,
> const void *itb,
> err = fit_image_addr(itb, img_off, "load", &load_addr, errp);
> if (err == -ENOENT) {
> load_addr = ROUND_UP(kernel_end, 64 * KiB) + (10 * MiB);
> - error_free(*errp);
> + if (errp) {
> + error_free(*errp);
> + *errp = NULL;
> + }
> } else if (err) {
> error_prepend(errp, "unable to read FDT load address from FIT: ");
> ret = err;
This fixes latent bugs when fit_image_addr() fails with ENOENT:
* If a caller passes a null @errp, we crash dereferencing it
* Else, we pass a dangling Error * to the caller, and return success.
If a caller dereferences the Error * regardless, we have a
use-after-free.
Not fixed:
* If a caller passes &error_abort or &error_fatal, we die instead of
taking the recovery path.
We need to use a local_err here.
I'll search for the pattern, and post fix(es).