On Fri, Jan 17, 2020 at 04:29:52PM +0100, Simon Goldschmidt wrote:
> + Some contributors of this file
>
> On Fri, Jan 17, 2020 at 1:03 PM Jordy <jo...@simplyhacker.com> wrote:
> >
> > Hello U-Boot lists!
> >
> > I think I found a double free bug in U-Boot, in /cmp/gpt.c in the function
> > do_rename_gpt_parts().
> >
> > On line 702 the partition_list is being free'd if ret is smaller than 0.
> > If the return value is not -ENOMEM it will go to the out: label and free
> > the partition_list again.
>
> Reading the code, I can confirm that. Funny enough, the code in question was
> introduced by commit 18030d04 ("GPT: fix memory leaks identified by
> Coverity").
> Although I think Coverity should have detected the resulting double-free...
>
> However, I'm not sure of the fix: the code just continues for -ENOMEM and then
> goes on using partitions_list at line 757...So, Coverity later did complain about that change (but not immediately, funny enough). I posted http://patchwork.ozlabs.org/patch/1192036/ and was hoping for a review on it as it's complex enough I'd like to avoid adding a 3rd round of issues there. Thanks! -- Tom
signature.asc
Description: PGP signature
