From patchwork Mon Dec 4 17:03:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heinrich Schuchardt X-Patchwork-Id: 844331 X-Patchwork-Delegate: agraf@suse.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3yrB8z5xYXz9t9j for ; Tue, 5 Dec 2017 04:05:55 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 436ACC21E71; Mon, 4 Dec 2017 17:04:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id C8A66C21E55; Mon, 4 Dec 2017 17:04:11 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 4D8F7C21E31; Mon, 4 Dec 2017 17:04:08 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by lists.denx.de (Postfix) with ESMTPS id CAAC2C21E55 for ; Mon, 4 Dec 2017 17:04:07 +0000 (UTC) Received: from workstation4.fritz.box ([94.114.42.150]) by mail.gmx.com (mrgmx101 [212.227.17.174]) with ESMTPSA (Nemesis) id 0LcnRD-1elNp31hGZ-00kAS6; Mon, 04 Dec 2017 18:04:06 +0100 From: Heinrich Schuchardt To: Alexander Graf Date: Mon, 4 Dec 2017 18:03:03 +0100 Message-Id: <20171204170303.24758-4-xypron.glpk@gmx.de> X-Mailer: git-send-email 2.14.2 In-Reply-To: <20171204170303.24758-1-xypron.glpk@gmx.de> References: <20171204170303.24758-1-xypron.glpk@gmx.de> X-Provags-ID: V03:K0:B8Yj4Q+0Ha4wWw/Bk7TCC2OE+WAEgZvHuUsAyAIgyzq1eNMRTHd HyiABDygesoSjaJa8Y0gY3+UIPD+vEnffXiHhJNY+DWJExAVpymrk5GL8b56qTOPYaBgueR dEnd6TSMqAsmuHDHHQWjqpXleUf8cZfmTRHiE2cGc1O9eLJ1M9vIaEx7jNWpXtITdljwas1 mfAT6p4or0t8uVfeB5Pyg== X-UI-Out-Filterresults: notjunk:1; V01:K0:f9Yg31at2/g=:dgvekCUT4ckFceZZJI9MjP APs356kdCFvGuFj78+h44OxVWlIBuBhBeBdmGZfiq3TW8RCl3lJEA5YYQoxjncNKWzCHicfgl 5LPeqkdQWrU1e3b1JQmeLh9kspFQvnt0ihx+nSyPrOyK1SpsmVfppPSEBmOwmP9z0Uz4e4Tt/ bTXJrie7DBLW0xLqjo/iZ907aeppBQI0geum/iCqqp+KWfvXhCsrTINsOOdB6jFp0hflCE6Ji HYQiM96AGBlTCFjWfz09cAemlAGqUDCNGUoRywYzl31YHKspxWhVyq1RLnK4JbWMN8RRZbTY9 68RFM9znZ1BL6lXL6TAiiZYS/c7bkLgDLXY1tzzyztz52X7Utwk62sZJx9L6IOZeYi59VT3fE Yvv4YM00+D3FH9PKbTRjzDTZhGbKuVlDe5la1E8uO8uGC0U2lyKKEqHLoOnh5Suk1TBa0xsg1 8w8GIMsHnh1EmY9rpNRtIOWXELGTl5TosigzB7Cgtze0vxPbB+GrKZAyRi9TqAH08SOV5xo8p +qTIc//ujlwvI05whkhdGBUIU1/hLX8kPxlns7WhR/ESLPGPWuqbsmFI6kVnIb0mlH1CGDTID vOfrGKCLyCWyUAad+fCv1w5xAj6+2nA6MV3raG5BkHahFUoDpBFEJoUSkj5Du/F2SDVFqRmz9 MM2rOgO5Xc//+ve6yMZibu8iFzKKs9ynWhwzam70x7DXJE12PLmla+Gx2ahT4au4EmVzC3yfz ayGJ9nqABRW/nRnQNQKL1RYtB24SIVf7nL/snSuGDG8K5D/314F/NMx20pCugBuycRhvpBEiT 7LQpdy4Gb/7vYJz6iGzKjeaq7j0HQ== Cc: u-boot@lists.denx.de, Heinrich Schuchardt Subject: [U-Boot] [PATCH 3/3] efi_loader: error handling in efi_load_image() X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" If a failure occurs when trying to load an image, it is insufficient to free() the EFI object. We must remove it from the object list, too. Otherwise a use after free will occur the next time we iterate over the object list. Furthermore errors in setting up the image should be handled. Signed-off-by: Heinrich Schuchardt --- lib/efi_loader/efi_boottime.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/lib/efi_loader/efi_boottime.c b/lib/efi_loader/efi_boottime.c index 7c8f3134d1..b90bd0b426 100644 --- a/lib/efi_loader/efi_boottime.c +++ b/lib/efi_loader/efi_boottime.c @@ -1308,6 +1308,7 @@ static efi_status_t EFIAPI efi_load_image(bool boot_policy, { struct efi_loaded_image *info; struct efi_object *obj; + efi_status_t ret; EFI_ENTRY("%d, %p, %p, %p, %ld, %p", boot_policy, parent_image, file_path, source_buffer, source_size, image_handle); @@ -1317,41 +1318,39 @@ static efi_status_t EFIAPI efi_load_image(bool boot_policy, if (!source_buffer) { struct efi_device_path *dp, *fp; - efi_status_t ret; ret = efi_load_image_from_path(file_path, &source_buffer); - if (ret != EFI_SUCCESS) { - free(info); - free(obj); - return EFI_EXIT(ret); - } - + if (ret != EFI_SUCCESS) + goto failure; /* * split file_path which contains both the device and * file parts: */ efi_dp_split_file_path(file_path, &dp, &fp); - - efi_setup_loaded_image(info, obj, dp, fp); + ret = efi_setup_loaded_image(info, obj, dp, fp); + if (ret != EFI_SUCCESS) + goto failure; } else { /* In this case, file_path is the "device" path, ie. * something like a HARDWARE_DEVICE:MEMORY_MAPPED */ - efi_setup_loaded_image(info, obj, file_path, NULL); + ret = efi_setup_loaded_image(info, obj, file_path, NULL); + if (ret != EFI_SUCCESS) + goto failure; } - info->reserved = efi_load_pe(source_buffer, info); if (!info->reserved) { - free(info); - free(obj); - return EFI_EXIT(EFI_UNSUPPORTED); + ret = EFI_UNSUPPORTED; + goto failure; } - info->system_table = &systab; info->parent_handle = parent_image; *image_handle = obj->handle; - return EFI_EXIT(EFI_SUCCESS); +failure: + free(info); + efi_delete_handle(obj); + return EFI_EXIT(ret); } /*