Attention is currently required from: Angel Pons.

Nico Huber would like build bot (Jenkins) and Angel Pons to review this change.

View Change

it87spi.c: Prevent use-after-free bug

The memory for the `param` string is aliased by `dualbiosindex_suffix`.
Moreover, `errno` could have been modified by the call to `free()`.
Therefore, only free the former when there are no more uses of either.

Change-Id: I79f18f6077c77c0cbb8bfa431e17f9b079f11c95
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/46551
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
---
M it87spi.c
1 file changed, 19 insertions(+), 1 deletion(-)

git pull ssh://review.coreboot.org:29418/flashrom refs/changes/41/67841/1
diff --git a/it87spi.c b/it87spi.c
index 0a1e894..a2188fc 100644
--- a/it87spi.c
+++ b/it87spi.c
@@ -139,12 +139,13 @@
char *dualbiosindex_suffix;
errno = 0;
long chip_index = strtol(param, &dualbiosindex_suffix, 0);
- free(param);
if (errno != 0 || *dualbiosindex_suffix != '\0' || chip_index < 0 || chip_index > 1) {
msg_perr("DualBIOS: Invalid chip index requested - choose 0 or 1.\n");
+ free(param);
exit_conf_mode_ite(port);
return 1;
}
+ free(param);
if (chip_index != (tmp & 1)) {
msg_pdbg("DualBIOS: Previous chip index: %d\n", tmp & 1);
sio_write(port, 0xEF, (tmp & 0xFE) | chip_index);

To view, visit change 67841. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: flashrom
Gerrit-Branch: 1.0.x
Gerrit-Change-Id: I79f18f6077c77c0cbb8bfa431e17f9b079f11c95
Gerrit-Change-Number: 67841
Gerrit-PatchSet: 1
Gerrit-Owner: Nico Huber <nico.h@gmx.de>
Gerrit-Reviewer: Angel Pons <th3fanbus@gmail.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-Attention: Angel Pons <th3fanbus@gmail.com>
Gerrit-MessageType: newchange