aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Emge <paulemge@forallsecure.com>2019-07-08 16:37:04 -0700
committerTom Rini <trini@konsulko.com>2019-07-18 11:31:28 -0400
commit6e5a79de658cb1c8012c86e0837379aa6eabd024 (patch)
tree29fae8aea17e98fed0adbf28815066e5c2594db0
parent232e2f4fd9a24bf08215ddc8c53ccadffc841fb5 (diff)
downloadu-boot-6e5a79de658cb1c8012c86e0837379aa6eabd024.zip
u-boot-6e5a79de658cb1c8012c86e0837379aa6eabd024.tar.gz
u-boot-6e5a79de658cb1c8012c86e0837379aa6eabd024.tar.bz2
CVE-2019-13105: ext4: fix double-free in ext4_cache_read
ext_cache_read doesn't null cache->buf, after freeing, which results in a later function double-freeing it. This patch fixes ext_cache_read to call ext_cache_fini instead of free. Signed-off-by: Paul Emge <paulemge@forallsecure.com>
-rw-r--r--fs/ext4/ext4fs.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 26db677..85dc122 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -286,7 +286,7 @@ int ext_cache_read(struct ext_block_cache *cache, lbaint_t block, int size)
if (!cache->buf)
return 0;
if (!ext4fs_devread(block, 0, size, cache->buf)) {
- free(cache->buf);
+ ext_cache_fini(cache);
return 0;
}
cache->block = block;