diff options
author | Paul Emge <paulemge@forallsecure.com> | 2019-07-08 16:37:04 -0700 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2019-07-18 11:31:28 -0400 |
commit | 6e5a79de658cb1c8012c86e0837379aa6eabd024 (patch) | |
tree | 29fae8aea17e98fed0adbf28815066e5c2594db0 | |
parent | 232e2f4fd9a24bf08215ddc8c53ccadffc841fb5 (diff) | |
download | u-boot-6e5a79de658cb1c8012c86e0837379aa6eabd024.zip u-boot-6e5a79de658cb1c8012c86e0837379aa6eabd024.tar.gz u-boot-6e5a79de658cb1c8012c86e0837379aa6eabd024.tar.bz2 |
CVE-2019-13105: ext4: fix double-free in ext4_cache_read
ext_cache_read doesn't null cache->buf, after freeing, which results
in a later function double-freeing it. This patch fixes
ext_cache_read to call ext_cache_fini instead of free.
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
-rw-r--r-- | fs/ext4/ext4fs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c index 26db677..85dc122 100644 --- a/fs/ext4/ext4fs.c +++ b/fs/ext4/ext4fs.c @@ -286,7 +286,7 @@ int ext_cache_read(struct ext_block_cache *cache, lbaint_t block, int size) if (!cache->buf) return 0; if (!ext4fs_devread(block, 0, size, cache->buf)) { - free(cache->buf); + ext_cache_fini(cache); return 0; } cache->block = block; |