[04/12] libflash/blocklevel: Fix theoretical use after free (CID 145924)

Submitted by Cyril Bur on Aug. 3, 2017, 6:45 a.m.

Details

Message ID 20170803064551.3439-4-cyril.bur@au1.ibm.com
State Accepted
Headers show

Commit Message

Cyril Bur Aug. 3, 2017, 6:45 a.m.
If we extend the ECC protection array and subsequently decide to merge
regions in one call then there would be a use after free bug. While this
exists in theory and was caught by Coverity, it should never happen
since we only merge regions if we're low on space but the cause of the
use after free is due to having just created more space.

Nevertheless, this is the kind of ticking timebomb that simply requires
some code rearrangement or different 'optimisations' to become possible.
Best to just make it impossible.

Fixes CID 145924

Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
---
 libflash/blocklevel.c | 1 +
 1 file changed, 1 insertion(+)

Patch hide | download patch | download mbox

diff --git a/libflash/blocklevel.c b/libflash/blocklevel.c
index d2b7eaa0..33d5c5d2 100644
--- a/libflash/blocklevel.c
+++ b/libflash/blocklevel.c
@@ -591,6 +591,7 @@  static bool insert_bl_prot_range(struct blocklevel_range *ranges, struct bl_prot
 		memcpy(&new_ranges[insert_pos], &range, sizeof(range));
 		ranges->prot = new_ranges;
 		ranges->n_prot++;
+		prot = new_ranges;
 	}
 
 	/* Probably only worth mergeing when we're low on space */