On Mon, Sep 13, 2021 at 10:29:57AM +0200, Ahmad Fatoum wrote: > firmware_set_searchpath() is used to temporarily extend firmware search > path when parsing boot spec files. It does so by first freeing the > original firmware pointer and then storing a pointer to a copy of the > new search path. > > firmware_get_searchpath() returns this pointer without copying meaning > that following sequence causes a use-after-free: > > old_fws = firmware_get_searchpath(); > firmware_set_searchpath(fws); /* calls free(old_fws) */ > firmware_set_searchpath(old_fws); > > Fix this by keeping around a copy of the search path. > > Fixes: dfebbb0a5944 ("blspec: Set firmware searchpath") > Signed-off-by: Ahmad Fatoum <ahmad@xxxxxx> > --- > common/blspec.c | 4 ++-- > common/firmware.c | 4 ++-- > include/firmware.h | 4 ++-- > 3 files changed, 6 insertions(+), 6 deletions(-) Applied, thanks Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox