Re: Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload")
Yes, I will submit a patch to fix the bug. Regards, Jincheng Tom Rini 于2021年10月15日周五 上午1:46写道: > On Tue, Oct 12, 2021 at 04:07:43PM +0800, Jincheng Wang wrote: > > > Hello U-Boot lists! > > I had been doing a fuzz testing in U-Boot . > > There is a double free bug in U-Boot, in /fs/squashfs/sqfs.c in the > > function sqfs_tokenize( ). > > On the line 307, tokens[i] is being freed and the ret is being set > -ENOMEM, > > it will go to the out: label and free tokens[i] again (just like > > CVE-2020-8432, double free in do_rename_gpt_parts() ). > > Here is a sample command cause to crash in sandbox environment: > > host bind 0 test.sqsh > > sqfsls host 0 1//3 > > Thanks! Can you please submit a fix for this as a patch, as well as > updating the existing sqfs tests to have this as an example? > > -- > Tom >
Re: Double free vulnerability in sqfs commands ("sqfsls" and "sqfsload")
On Tue, Oct 12, 2021 at 04:07:43PM +0800, Jincheng Wang wrote: > Hello U-Boot lists! > I had been doing a fuzz testing in U-Boot . > There is a double free bug in U-Boot, in /fs/squashfs/sqfs.c in the > function sqfs_tokenize( ). > On the line 307, tokens[i] is being freed and the ret is being set -ENOMEM, > it will go to the out: label and free tokens[i] again (just like > CVE-2020-8432, double free in do_rename_gpt_parts() ). > Here is a sample command cause to crash in sandbox environment: > host bind 0 test.sqsh > sqfsls host 0 1//3 Thanks! Can you please submit a fix for this as a patch, as well as updating the existing sqfs tests to have this as an example? -- Tom signature.asc Description: PGP signature
