Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt

From:	Vladimir Sementsov-Ogievskiy
Subject:	Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt
Date:	Fri, 29 Nov 2019 14:11:09 +0000

29.11.2019 17:03, Markus Armbruster wrote:
> Vladimir Sementsov-Ogievskiy <address@hidden> writes:
> 
>> fit_load_fdt forget to check that errp is not NULL and to zero it after
>> freeing. Fix it.
>>
>> Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>
>> Reviewed-by: Eric Blake <address@hidden>
>> ---
>>   hw/core/loader-fit.c | 5 ++++-
>>   1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/hw/core/loader-fit.c b/hw/core/loader-fit.c
>> index 953b16bc82..3ee9fb2f2e 100644
>> --- a/hw/core/loader-fit.c
>> +++ b/hw/core/loader-fit.c
>> @@ -200,7 +200,10 @@ static int fit_load_fdt(const struct fit_loader *ldr, 
>> const void *itb,
>>       err = fit_image_addr(itb, img_off, "load", &load_addr, errp);
>>       if (err == -ENOENT) {
>>           load_addr = ROUND_UP(kernel_end, 64 * KiB) + (10 * MiB);
>> -        error_free(*errp);
>> +        if (errp) {
>> +            error_free(*errp);
>> +            *errp = NULL;
>> +        }
>>       } else if (err) {
>>           error_prepend(errp, "unable to read FDT load address from FIT: ");
>>           ret = err;
> 
> This fixes latent bugs when fit_image_addr() fails with ENOENT:
> 
> * If a caller passes a null @errp, we crash dereferencing it
> 
> * Else, we pass a dangling Error * to the caller, and return success.
>    If a caller dereferences the Error * regardless, we have a
>    use-after-free.
> 
> Not fixed:
> 
> * If a caller passes &error_abort or &error_fatal, we die instead of
>    taking the recovery path.

No, if it is error_abort or error_fatal, we will not reach this point, the 
execution
finished before, when error was set.

> 
> We need to use a local_err here.
> 
> I'll search for the pattern, and post fix(es).
> 


-- 
Best regards,
Vladimir

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt, Vladimir Sementsov-Ogievskiy, 2019/11/27
- Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt, Markus Armbruster, 2019/11/29
  - Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt, Vladimir Sementsov-Ogievskiy <=
    - Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt, Vladimir Sementsov-Ogievskiy, 2019/11/29
    - Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt, Markus Armbruster, 2019/11/29
    - Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt, Vladimir Sementsov-Ogievskiy, 2019/11/29
    - Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt, Markus Armbruster, 2019/11/29
    - Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt, Markus Armbruster, 2019/11/30

Prev by Date: Re: [PATCH v2 01/13] s390x: protvirt: Add diag308 subcodes 8 - 10
Next by Date: Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt
Previous by thread: Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt
Next by thread: Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt
Index(es):
- Date
- Thread