Code Review / openocd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 5952f5e)
flash/nor/core: fix double-free crash with 'virtual' flash banks 04/4504/2
authorBohdan Tymkiv <bhdt@cypress.com>
Fri, 27 Apr 2018 12:37:28 +0000 (15:37 +0300)
committerTomas Vanek <vanekt@fbl.cz>
Tue, 5 Jun 2018 10:29:33 +0000 (11:29 +0100)
flash_bank structure of 'virtual' flash driver is a full copy of
the master flash_bank structure including bank->sectors and
bank->prot_blocks pointers. These pointers point to memory
locations allocated by the master driver and thus master driver
is responsible for deallocating them.
Do not free bank->sectors and bank->prot_blocks of 'virtual'
driver since they were already released by master flash driver.

Change-Id: I01f373d4adb3fc79e2724964926b9276442c5c52
Signed-off-by: Bohdan Tymkiv <bhdt@cypress.com>
Reviewed-on: http://openocd.zylin.com/4504
Tested-by: jenkins
Reviewed-by: Tomas Vanek <vanekt@fbl.cz>
src/flash/nor/core.c patch | blob | history

diff --git a/src/flash/nor/core.c b/src/flash/nor/core.c
index f05c68b823410e53251a4e758227544331f34c15..49412816c3a2449bae3beba33e508e9d1b4b9571 100644 (file)
--- a/src/flash/nor/core.c
+++ b/src/flash/nor/core.c
@@ -188,9 +188,17 @@ void flash_free_all_banks(void)
                else
                        LOG_WARNING("Flash driver of %s does not support free_driver_priv()", bank->name);
 
                else
                        LOG_WARNING("Flash driver of %s does not support free_driver_priv()", bank->name);
 
+               /* For 'virtual' flash driver bank->sectors and bank->prot_blocks pointers are copied from
+                * master flash_bank structure. They point to memory locations allocated by master flash driver
+                * so master driver is responsible for releasing them.
+                * Avoid UB caused by double-free memory corruption if flash bank is 'virtual'. */
+
+               if (strcmp(bank->driver->name, "virtual") != 0) {
+                       free(bank->sectors);
+                       free(bank->prot_blocks);
+               }
+
                free(bank->name);
                free(bank->name);
-               free(bank->sectors);
-               free(bank->prot_blocks);
                free(bank);
                bank = next;
        }
                free(bank);
                bank = next;
        }
Open On-Chip Debugger

Linking to existing account procedure

If you already have an account and want to add another login method you MUST first sign in with your existing account and then change URL to read https://review.openocd.org/login/?link to get to this page again but this time it'll work for linking. Thank you.

SSH host keys fingerprints

1024 SHA256:YKx8b7u5ZWdcbp7/4AeXNaqElP49m6QrwfXaqQGJAOk gerrit-code-review@openocd.zylin.com (DSA)
384 SHA256:jHIbSQa4REvwCFG4cq5LBlBLxmxSqelQPem/EXIrxjk gerrit-code-review@openocd.org (ECDSA)
521 SHA256:UAOPYkU9Fjtcao0Ul/Rrlnj/OsQvt+pgdYSZ4jOYdgs gerrit-code-review@openocd.org (ECDSA)
256 SHA256:A13M5QlnozFOvTllybRZH6vm7iSt0XLxbA48yfc2yfY gerrit-code-review@openocd.org (ECDSA)
256 SHA256:spYMBqEYoAOtK7yZBrcwE8ZpYt6b68Cfh9yEVetvbXg gerrit-code-review@openocd.org (ED25519)
+--[ED25519 256]--+
|=..              |
|+o..   .         |
|*.o   . .        |
|+B . . .         |
|Bo. = o S        |
|Oo.+ + =         |
|oB=.* = . o      |
| =+=.+   + E     |
|. .=o   . o      |
+----[SHA256]-----+
2048 SHA256:0Onrb7/PHjpo6iVZ7xQX2riKN83FJ3KGU0TvI0TaFG4 gerrit-code-review@openocd.zylin.com (RSA)