Message ID | 1411468309-27443-1-git-send-email-colin.king@canonical.com |
---|---|
State | Accepted |
Headers | show |
On 14-09-23 06:31 PM, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > Commit 728cbed162d88306e5fb10623fb37b282e21f73f "uefivarinfo: allocate > buffer rewrite to avoid realloc failure (LP: #1362540)" introduced > a double free on data as detected by Coverity Scan: > > *** CID 1240201: Double free (USE_AFTER_FREE) > /src/uefi/uefivarinfo/uefivarinfo.c: 160 in do_checkvariables() > 154 free(data); > 155 return FWTS_ERROR; > 156 } > 157 } > 158 } > 159 >>>> CID 1240201: Double free (USE_AFTER_FREE) >>>> Calling "free" frees pointer "data" which has already been freed. > 160 free(data); > > Free data in appropriate places to ensure we don't do a double free > > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > src/uefi/uefivarinfo/uefivarinfo.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c > index a4d2783..41296c6 100644 > --- a/src/uefi/uefivarinfo/uefivarinfo.c > +++ b/src/uefi/uefivarinfo/uefivarinfo.c > @@ -127,12 +127,13 @@ static int do_checkvariables( > > ioret = ioctl(fd, EFI_RUNTIME_GET_VARIABLE, &getvariable); > if (ioret == -1) { > - free(data); > if (status != EFI_BUFFER_TOO_SMALL) { > + free(data); > fwts_log_info(fw, "Failed to get variable with UEFI runtime service."); > fwts_uefi_print_status_info(fw, status); > return FWTS_ERROR; > } else if (getdatasize > maxvarsize) { > + free(data); > fwts_log_info(fw, "Variable is larger than maximum variable length."); > fwts_uefi_print_status_info(fw, status); > > @@ -156,7 +157,6 @@ static int do_checkvariables( > } > } > } > - > free(data); > > (*usedvarssize) += getdatasize; Acked-by: Alex Hung <alex.hung@canonical.com>
On Tue, Sep 23, 2014 at 6:31 PM, Colin King <colin.king@canonical.com> wrote: > From: Colin Ian King <colin.king@canonical.com> > > Commit 728cbed162d88306e5fb10623fb37b282e21f73f "uefivarinfo: allocate > buffer rewrite to avoid realloc failure (LP: #1362540)" introduced > a double free on data as detected by Coverity Scan: > > *** CID 1240201: Double free (USE_AFTER_FREE) > /src/uefi/uefivarinfo/uefivarinfo.c: 160 in do_checkvariables() > 154 free(data); > 155 return FWTS_ERROR; > 156 } > 157 } > 158 } > 159 >>>> CID 1240201: Double free (USE_AFTER_FREE) >>>> Calling "free" frees pointer "data" which has already been freed. > 160 free(data); > > Free data in appropriate places to ensure we don't do a double free > > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > src/uefi/uefivarinfo/uefivarinfo.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c > index a4d2783..41296c6 100644 > --- a/src/uefi/uefivarinfo/uefivarinfo.c > +++ b/src/uefi/uefivarinfo/uefivarinfo.c > @@ -127,12 +127,13 @@ static int do_checkvariables( > > ioret = ioctl(fd, EFI_RUNTIME_GET_VARIABLE, &getvariable); > if (ioret == -1) { > - free(data); > if (status != EFI_BUFFER_TOO_SMALL) { > + free(data); > fwts_log_info(fw, "Failed to get variable with UEFI runtime service."); > fwts_uefi_print_status_info(fw, status); > return FWTS_ERROR; > } else if (getdatasize > maxvarsize) { > + free(data); > fwts_log_info(fw, "Variable is larger than maximum variable length."); > fwts_uefi_print_status_info(fw, status); > > @@ -156,7 +157,6 @@ static int do_checkvariables( > } > } > } > - > free(data); > > (*usedvarssize) += getdatasize; > -- > 2.1.0 > Acked-by: Keng-Yu Lin <kengyu@canonical.com>
diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c index a4d2783..41296c6 100644 --- a/src/uefi/uefivarinfo/uefivarinfo.c +++ b/src/uefi/uefivarinfo/uefivarinfo.c @@ -127,12 +127,13 @@ static int do_checkvariables( ioret = ioctl(fd, EFI_RUNTIME_GET_VARIABLE, &getvariable); if (ioret == -1) { - free(data); if (status != EFI_BUFFER_TOO_SMALL) { + free(data); fwts_log_info(fw, "Failed to get variable with UEFI runtime service."); fwts_uefi_print_status_info(fw, status); return FWTS_ERROR; } else if (getdatasize > maxvarsize) { + free(data); fwts_log_info(fw, "Variable is larger than maximum variable length."); fwts_uefi_print_status_info(fw, status); @@ -156,7 +157,6 @@ static int do_checkvariables( } } } - free(data); (*usedvarssize) += getdatasize;