Mathias Krause (minipli@googlemail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/2900
-gerrit
commit 75040b90c9a403905312d3f90636b606e6e5ecaf Author: Mathias Krause minipli@googlemail.com Date: Sun Mar 24 19:40:02 2013 +0100
libpayload: fix use-after-free in usb_exit()
The controller's shutdown function free()s the controller structure so we shouldn't access it any more after calling shutdown.
As all controllers detach themself, i.e. unchain themself from usb_hcs, just keep iterating over usb_hcs until it's NULL.
Change-Id: Ie85caba0f685494c3fe04c550a5a14bc4158a94e Signed-off-by: Mathias Krause minipli@googlemail.com --- payloads/libpayload/drivers/usb/usb.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/payloads/libpayload/drivers/usb/usb.c b/payloads/libpayload/drivers/usb/usb.c index 0448d38..23561c4 100644 --- a/payloads/libpayload/drivers/usb/usb.c +++ b/payloads/libpayload/drivers/usb/usb.c @@ -74,12 +74,8 @@ detach_controller (hci_t *controller) int usb_exit (void) { - if (usb_hcs == 0) - return 0; - hci_t *controller = usb_hcs; - while (controller != NULL) { - controller->shutdown(controller); - controller = controller->next; + while (usb_hcs != NULL) { + usb_hcs->shutdown(usb_hcs); } return 0; }
-
Mathias Krause