Andrew Engelbrecht (sudoman@ninthfloor.org) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/7620

-gerrit

commit e41ab71f527ffc4627b5ea059e2913b0e97159f9 Author: Andrew Engelbrecht sudoman@ninthfloor.org Date: Mon Dec 1 12:22:48 2014 -0500

nvramtool: cmos_read(): Use malloc() instead of alloca()

Fixes crash occurring when 'nvramtool -a' tried to free a prematurely freed pointer. (Tested on x60)

malloc() is correct because the pointer is accessed outside the calling function. The pointer is freed in the parent function list_cmos_entry().

Change-Id: I1723f09740657f0f0d9e6954bd6d11c0a3820a42 Signed-off-by: Andrew Engelbrecht sudoman@ninthfloor.org --- util/nvramtool/cmos_lowlevel.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/util/nvramtool/cmos_lowlevel.c b/util/nvramtool/cmos_lowlevel.c index 618e8d2..c46e480 100644 --- a/util/nvramtool/cmos_lowlevel.c +++ b/util/nvramtool/cmos_lowlevel.c @@ -112,6 +112,9 @@ static inline void put_bits(unsigned char value, unsigned bit, * Read value from nonvolatile RAM at position given by 'bit' and 'length' * and return this value. The I/O privilege level of the currently executing * process must be set appropriately. + * + * Returned value is either (unsigned long long), or malloc()'d (char *) + * cast to (unsigned long long) ****************************************************************************/ unsigned long long cmos_read(const cmos_entry_t * e) { @@ -126,7 +129,7 @@ unsigned long long cmos_read(const cmos_entry_t * e)

if (e->config == CMOS_ENTRY_STRING) { int strsz = (length + 7) / 8; - char *newstring = alloca(strsz); + char *newstring = malloc(strsz); unsigned usize = (8 * sizeof(unsigned long long));

if (!newstring) {