[PATCH] uefi: uefivarinfo: fix double free on data (LP: #1372874)
Keng-Yu Lin
keng-yu.lin at canonical.com
Wed Sep 24 02:00:47 UTC 2014
On Tue, Sep 23, 2014 at 6:31 PM, Colin King <colin.king at canonical.com> wrote:
> From: Colin Ian King <colin.king at canonical.com>
>
> Commit 728cbed162d88306e5fb10623fb37b282e21f73f "uefivarinfo: allocate
> buffer rewrite to avoid realloc failure (LP: #1362540)" introduced
> a double free on data as detected by Coverity Scan:
>
> *** CID 1240201: Double free (USE_AFTER_FREE)
> /src/uefi/uefivarinfo/uefivarinfo.c: 160 in do_checkvariables()
> 154 free(data);
> 155 return FWTS_ERROR;
> 156 }
> 157 }
> 158 }
> 159
>>>> CID 1240201: Double free (USE_AFTER_FREE)
>>>> Calling "free" frees pointer "data" which has already been freed.
> 160 free(data);
>
> Free data in appropriate places to ensure we don't do a double free
>
> Signed-off-by: Colin Ian King <colin.king at canonical.com>
> ---
> src/uefi/uefivarinfo/uefivarinfo.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c
> index a4d2783..41296c6 100644
> --- a/src/uefi/uefivarinfo/uefivarinfo.c
> +++ b/src/uefi/uefivarinfo/uefivarinfo.c
> @@ -127,12 +127,13 @@ static int do_checkvariables(
>
> ioret = ioctl(fd, EFI_RUNTIME_GET_VARIABLE, &getvariable);
> if (ioret == -1) {
> - free(data);
> if (status != EFI_BUFFER_TOO_SMALL) {
> + free(data);
> fwts_log_info(fw, "Failed to get variable with UEFI runtime service.");
> fwts_uefi_print_status_info(fw, status);
> return FWTS_ERROR;
> } else if (getdatasize > maxvarsize) {
> + free(data);
> fwts_log_info(fw, "Variable is larger than maximum variable length.");
> fwts_uefi_print_status_info(fw, status);
>
> @@ -156,7 +157,6 @@ static int do_checkvariables(
> }
> }
> }
> -
> free(data);
>
> (*usedvarssize) += getdatasize;
> --
> 2.1.0
>
Acked-by: Keng-Yu Lin <kengyu at canonical.com>
More information about the fwts-devel
mailing list