summaryrefslogtreecommitdiffstats
path: root/meta/recipes-bsp
diff options
context:
space:
mode:
authorSakib Sajal <sakib.sajal@windriver.com>2020-04-06 09:08:28 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-04-07 21:57:11 +0100
commit32f01f9e72089d4412cef5da80970c99c651cc49 (patch)
treecc10fbca89b82767189791c27a00e0b0a68cbcbd /meta/recipes-bsp
parenta8b2cd7470bcc25527577b95a26a0a528949232d (diff)
downloadopenembedded-core-contrib-32f01f9e72089d4412cef5da80970c99c651cc49.tar.gz
u-boot: cmd/gpt.c: fix memory leak
Fixes CVE-2020-8432, a double free introduced by commit 18030d04d25d7c08d3deff85881772a520d84d49 CVE: CVE-2020-8432 Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-bsp')
-rw-r--r--meta/recipes-bsp/u-boot/u-boot-common.inc1
-rw-r--r--meta/recipes-bsp/u-boot/u-boot/0001-cmd-gpt-Address-error-cases-during-gpt-rename-more-c.patch116
2 files changed, 117 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index edd0004792e..a6bbd37d2a6 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -15,6 +15,7 @@ PE = "1"
SRCREV = "303f8fed261020c1cb7da32dad63b610bf6873dd"
SRC_URI = "git://git.denx.de/u-boot.git \
+ file://0001-cmd-gpt-Address-error-cases-during-gpt-rename-more-c.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-bsp/u-boot/u-boot/0001-cmd-gpt-Address-error-cases-during-gpt-rename-more-c.patch b/meta/recipes-bsp/u-boot/u-boot/0001-cmd-gpt-Address-error-cases-during-gpt-rename-more-c.patch
new file mode 100644
index 00000000000..71f2c4a414a
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/u-boot/0001-cmd-gpt-Address-error-cases-during-gpt-rename-more-c.patch
@@ -0,0 +1,116 @@
+From 5749faa3d6837d6dbaf2119fc3ec49a326690c8f Mon Sep 17 00:00:00 2001
+From: Tom Rini <trini@konsulko.com>
+Date: Tue, 21 Jan 2020 11:53:38 -0500
+Subject: [PATCH] cmd/gpt: Address error cases during gpt rename more correctly
+
+New analysis by the tool has shown that we have some cases where we
+weren't handling the error exit condition correctly. When we ran into
+the ENOMEM case we wouldn't exit the function and thus incorrect things
+could happen. Rework the unwinding such that we don't need a helper
+function now and free what we may have allocated.
+
+Fixes: 18030d04d25d ("GPT: fix memory leaks identified by Coverity")
+Reported-by: Coverity (CID: 275475, 275476)
+Cc: Alison Chaiken <alison@she-devel.com>
+Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
+Cc: Jordy <jordy@simplyhacker.com>
+Signed-off-by: Tom Rini <trini@konsulko.com>
+Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
+
+CVE: CVE-2020-8432
+Upstream-Status: Backport [5749faa3d6837d6dbaf2119fc3ec49a326690c8f]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ cmd/gpt.c | 47 ++++++++++++-----------------------------------
+ 1 file changed, 12 insertions(+), 35 deletions(-)
+
+diff --git a/cmd/gpt.c b/cmd/gpt.c
+index 0c4349f4b2..964702bad4 100644
+--- a/cmd/gpt.c
++++ b/cmd/gpt.c
+@@ -633,21 +633,6 @@ static int do_disk_guid(struct blk_desc *dev_desc, char * const namestr)
+ }
+
+ #ifdef CONFIG_CMD_GPT_RENAME
+-/*
+- * There are 3 malloc() calls in set_gpt_info() and there is no info about which
+- * failed.
+- */
+-static void set_gpt_cleanup(char **str_disk_guid,
+- disk_partition_t **partitions)
+-{
+-#ifdef CONFIG_RANDOM_UUID
+- if (str_disk_guid)
+- free(str_disk_guid);
+-#endif
+- if (partitions)
+- free(partitions);
+-}
+-
+ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+ char *name1, char *name2)
+ {
+@@ -655,7 +640,7 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+ struct disk_part *curr;
+ disk_partition_t *new_partitions = NULL;
+ char disk_guid[UUID_STR_LEN + 1];
+- char *partitions_list, *str_disk_guid;
++ char *partitions_list, *str_disk_guid = NULL;
+ u8 part_count = 0;
+ int partlistlen, ret, numparts = 0, partnum, i = 1, ctr1 = 0, ctr2 = 0;
+
+@@ -697,14 +682,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+ /* set_gpt_info allocates new_partitions and str_disk_guid */
+ ret = set_gpt_info(dev_desc, partitions_list, &str_disk_guid,
+ &new_partitions, &part_count);
+- if (ret < 0) {
+- del_gpt_info();
+- free(partitions_list);
+- if (ret == -ENOMEM)
+- set_gpt_cleanup(&str_disk_guid, &new_partitions);
+- else
+- goto out;
+- }
++ if (ret < 0)
++ goto out;
+
+ if (!strcmp(subcomm, "swap")) {
+ if ((strlen(name1) > PART_NAME_LEN) || (strlen(name2) > PART_NAME_LEN)) {
+@@ -766,14 +745,8 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+ * Even though valid pointers are here passed into set_gpt_info(),
+ * it mallocs again, and there's no way to tell which failed.
+ */
+- if (ret < 0) {
+- del_gpt_info();
+- free(partitions_list);
+- if (ret == -ENOMEM)
+- set_gpt_cleanup(&str_disk_guid, &new_partitions);
+- else
+- goto out;
+- }
++ if (ret < 0)
++ goto out;
+
+ debug("Writing new partition table\n");
+ ret = gpt_restore(dev_desc, disk_guid, new_partitions, numparts);
+@@ -795,10 +768,14 @@ static int do_rename_gpt_parts(struct blk_desc *dev_desc, char *subcomm,
+ }
+ printf("new partition table with %d partitions is:\n", numparts);
+ print_gpt_info();
+- del_gpt_info();
+ out:
+- free(new_partitions);
+- free(str_disk_guid);
++ del_gpt_info();
++#ifdef CONFIG_RANDOM_UUID
++ if (str_disk_guid)
++ free(str_disk_guid);
++#endif
++ if (new_partitions)
++ free(new_partitions);
+ free(partitions_list);
+ return ret;
+ }
+--
+2.20.1
+