diff options
| author | Cyril Bur <cyril.bur@au1.ibm.com> | 2017-08-03 16:45:43 +1000 |
|---|---|---|
| committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2017-08-15 16:37:14 +1000 |
| commit | 00d05bc8a20abfdc2d692cccb250844f1477e95a (patch) | |
| tree | e7d79d95ecc313b3ed6867bb0b447857ce9ef8d9 | |
| parent | b11fd35325a875eef987de1d3affc60c0c222d23 (diff) | |
| download | skiboot-00d05bc8a20abfdc2d692cccb250844f1477e95a.zip skiboot-00d05bc8a20abfdc2d692cccb250844f1477e95a.tar.gz skiboot-00d05bc8a20abfdc2d692cccb250844f1477e95a.tar.bz2 | |
libflash/blocklevel: Fix theoretical use after free (CID 145924)
If we extend the ECC protection array and subsequently decide to merge
regions in one call then there would be a use after free bug. While this
exists in theory and was caught by Coverity, it should never happen
since we only merge regions if we're low on space but the cause of the
use after free is due to having just created more space.
Nevertheless, this is the kind of ticking timebomb that simply requires
some code rearrangement or different 'optimisations' to become possible.
Best to just make it impossible.
Fixes CID 145924
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
| -rw-r--r-- | libflash/blocklevel.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/libflash/blocklevel.c b/libflash/blocklevel.c index d2b7eaa..33d5c5d 100644 --- a/libflash/blocklevel.c +++ b/libflash/blocklevel.c @@ -591,6 +591,7 @@ static bool insert_bl_prot_range(struct blocklevel_range *ranges, struct bl_prot memcpy(&new_ranges[insert_pos], &range, sizeof(range)); ranges->prot = new_ranges; ranges->n_prot++; + prot = new_ranges; } /* Probably only worth mergeing when we're low on space */ |