summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSakib Sajal <sakib.sajal@windriver.com>2020-04-06 16:08:28 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-04-07 20:57:16 (GMT)
commiteba83a98eb7b77a1e006c079ff8b57c55b1fb785 (patch)
tree568ed6467147e76cfa5a7e943b33d77b2ba3bb86
parent9c760ffd3d322b7cd27f0d7588d285aa3b0254ac (diff)
downloadpoky-eba83a98eb7b77a1e006c079ff8b57c55b1fb785.tar.gz
u-boot: cmd/gpt.c: fix memory leak
Fixes CVE-2020-8432, a double free introduced by commit 18030d04d25d7c08d3deff85881772a520d84d49 CVE: CVE-2020-8432 (From OE-Core rev: 32f01f9e72089d4412cef5da80970c99c651cc49) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-bsp/u-boot/u-boot-common.inc1
-rw-r--r--meta/recipes-bsp/u-boot/u-boot/0001-cmd-gpt-Address-error-cases-during-gpt-rename-more-c.patch116
2 files changed, 117 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index edd0004..a6bbd37 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -15,6 +15,7 @@ PE = "1"
15SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd" 15SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd"
16 16
17SRC_URI = "git://git.denx.de/u-boot.git \ 17SRC_URI = "git://git.denx.de/u-boot.git \
18 file://0001-cmd-gpt-Address-error-cases-during-gpt-rename-more-c.patch \
18 " 19 "
19 20
20S = "${WORKDIR}/git" 21S = "${WORKDIR}/git"
diff --git a/meta/recipes-bsp/u-boot/u-boot/0001-cmd-gpt-Address-error-cases-during-gpt-rename-more-c.patch b/meta/recipes-bsp/u-boot/u-boot/0001-cmd-gpt-Address-error-cases-during-gpt-rename-more-c.patch
new file mode 100644
index 0000000..71f2c4a
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/u-boot/0001-cmd-gpt-Address-error-cases-during-gpt-rename-more-c.patch
@@ -0,0 +1,116 @@
1From 5749faa3d6837d6dbaf2119fc3ec49a326690c8f Mon Sep 17 00:00:00 2001
2From: Tom Rini <trini@konsulko.com>
3Date: Tue, 21 Jan 2020 11:53:38 -0500
4Subject: [PATCH] cmd/gpt: Address error cases during gpt rename more correctly
5
6New analysis by the tool has shown that we have some cases where we
7weren't handling the error exit condition correctly. When we ran into
8the ENOMEM case we wouldn't exit the function and thus incorrect things
9could happen. Rework the unwinding such that we don't need a helper
10function now and free what we may have allocated.
11
12Fixes: 18030d04d25d ("GPT: fix memory leaks identified by Coverity")
13Reported-by: Coverity (CID: 275475, 275476)
14Cc: Alison Chaiken <alison@she-devel.com>
15Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
16Cc: Jordy <jordy@simplyhacker.com>
17Signed-off-by: Tom Rini <trini@konsulko.com>
18Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
19
20CVE: CVE-2020-8432
21Upstream-Status: Backport [5749faa3d6837d6dbaf2119fc3ec49a326690c8f]
22Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
23---
24 cmd/gpt.c | 47 ++++++++++++-----------------------------------
25 1 file changed, 12 insertions(+), 35 deletions(-)
26
27diff --git a/cmd/gpt.c b/cmd/gpt.c
28index 0c4349f4b2..964702bad4 100644
29--- a/cmd/gpt.c
30+++ b/cmd/gpt.c
31@@ -633,21 +633,6 @@ static int do_disk_guid(struct blk_desc *dev_desc, char * const namestr)
32 }
33
34 #ifdef CONFIG_CMD_GPT_RENAME
35-/*
36- * There are 3 malloc() calls in set_gpt_info() and there is no info about which
37- * failed.
38- */
39-static void set_gpt_cleanup(char **str_disk_guid,
40- disk_partition_t **partitions)
41-{
42-#ifdef CONFIG_RANDOM_UUID
43- if (str_disk_guid)
44- free(str_disk_guid);
45-#endif
46- if (partitions)
47- free(partitions);
48-}
49-
50 static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
51 char *name1, char *name2)
52 {
53@@ -655,7 +640,7 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
54 struct disk_part *curr;
55 disk_partition_t *new_partitions = NULL;
56 char disk_guid[UUID_STR_LEN + 1];
57- char *partitions_list, *str_disk_guid;
58+ char *partitions_list, *str_disk_guid = NULL;
59 u8 part_count = 0;
60 int partlistlen, ret, numparts = 0, partnum, i = 1, ctr1 = 0, ctr2 = 0;
61
62@@ -697,14 +682,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
63 /* set_gpt_info allocates new_partitions and str_disk_guid */
64 ret = set_gpt_info(dev_desc, partitions_list, &str_disk_guid,
65 &new_partitions, &part_count);
66- if (ret < 0) {
67- del_gpt_info();
68- free(partitions_list);
69- if (ret == -ENOMEM)
70- set_gpt_cleanup(&str_disk_guid, &new_partitions);
71- else
72- goto out;
73- }
74+ if (ret < 0)
75+ goto out;
76
77 if (!strcmp(subcomm, "swap")) {
78 if ((strlen(name1) > PART_NAME_LEN) || (strlen(name2) > PART_NAME_LEN)) {
79@@ -766,14 +745,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
80 * Even though valid pointers are here passed into set_gpt_info(),
81 * it mallocs again, and there's no way to tell which failed.
82 */
83- if (ret < 0) {
84- del_gpt_info();
85- free(partitions_list);
86- if (ret == -ENOMEM)
87- set_gpt_cleanup(&str_disk_guid, &new_partitions);
88- else
89- goto out;
90- }
91+ if (ret < 0)
92+ goto out;
93
94 debug("Writing new partition table\n");
95 ret = gpt_restore(dev_desc, disk_guid, new_partitions, numparts);
96@@ -795,10 +768,14 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
97 }
98 printf("new partition table with %d partitions is:\n", numparts);
99 print_gpt_info();
100- del_gpt_info();
101 out:
102- free(new_partitions);
103- free(str_disk_guid);
104+ del_gpt_info();
105+#ifdef CONFIG_RANDOM_UUID
106+ if (str_disk_guid)
107+ free(str_disk_guid);
108+#endif
109+ if (new_partitions)
110+ free(new_partitions);
111 free(partitions_list);
112 return ret;
113 }
114--
1152.20.1
116