[Skiboot] [PATCH 04/12] libflash/blocklevel: Fix theoretical use after free (CID 145924)

Cyril Bur cyril.bur at au1.ibm.com
Thu Aug 3 16:45:43 AEST 2017

If we extend the ECC protection array and subsequently decide to merge
regions in one call then there would be a use after free bug. While this
exists in theory and was caught by Coverity, it should never happen
since we only merge regions if we're low on space but the cause of the
use after free is due to having just created more space.

Nevertheless, this is the kind of ticking timebomb that simply requires
some code rearrangement or different 'optimisations' to become possible.
Best to just make it impossible.

Fixes CID 145924

Signed-off-by: Cyril Bur <cyril.bur at au1.ibm.com>
 libflash/blocklevel.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libflash/blocklevel.c b/libflash/blocklevel.c
index d2b7eaa0..33d5c5d2 100644
--- a/libflash/blocklevel.c
+++ b/libflash/blocklevel.c
@@ -591,6 +591,7 @@ static bool insert_bl_prot_range(struct blocklevel_range *ranges, struct bl_prot
 		memcpy(&new_ranges[insert_pos], &range, sizeof(range));
 		ranges->prot = new_ranges;
+		prot = new_ranges;
 	/* Probably only worth mergeing when we're low on space */

More information about the Skiboot mailing list