Code Review / openocd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: e84be70)
gdb_server: fix double free 52/6852/2
authorAntonio Borneo <borneo.antonio@gmail.com>
Sat, 19 Feb 2022 15:16:31 +0000 (16:16 +0100)
committerAntonio Borneo <borneo.antonio@gmail.com>
Sat, 26 Feb 2022 15:37:19 +0000 (15:37 +0000)
Commit 6541233aa78d ("Combine register lists of smp targets.")
unconditionally assigns the output pointers of the function
smp_reg_list_noread(), even if the function fails and returns
error.
This causes a double free from the caller, that has assigned NULL
to the pointers to simplify the error handling.

Use local variables in smp_reg_list_noread() and assign the output
pointers only on success.

Change-Id: Ic0fd2f26520566cf322f0190780e15637c01cfae
Fixes: 6541233aa78d ("Combine register lists of smp targets.")
Reported-by: Michele Bisogno <michele.bisogno.ct@renesas.com>
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Reviewed-on: https://review.openocd.org/c/openocd/+/6852
Tested-by: jenkins
Reviewed-by: Michele Bisogno <michele.bisogno.ct@renesas.com>
Reviewed-by: Tim Newsome <tim@sifive.com>
src/server/gdb_server.c patch | blob | history

diff --git a/src/server/gdb_server.c b/src/server/gdb_server.c
index 95720e5616248cdd4fb82b5963081434bfcb62ab..f8a1aac83ac2a9af4bfd35c4040b0a551e5a1de8 100644 (file)
--- a/src/server/gdb_server.c
+++ b/src/server/gdb_server.c
@@ -2272,12 +2272,12 @@ static int smp_reg_list_noread(struct target *target,
                                combined_list_size, REG_CLASS_ALL);
 
        unsigned int combined_allocated = 256;
-       *combined_list = malloc(combined_allocated * sizeof(struct reg *));
-       if (*combined_list == NULL) {
+       struct reg **local_list = malloc(combined_allocated * sizeof(struct reg *));
+       if (!local_list) {
                LOG_ERROR("malloc(%zu) failed", combined_allocated * sizeof(struct reg *));
                return ERROR_FAIL;
        }
-       *combined_list_size = 0;
+       unsigned int local_list_size = 0;
 
        struct target_list *head;
        foreach_smp_target(head, target->smp_targets) {
@@ -2286,7 +2286,7 @@ static int smp_reg_list_noread(struct target *target,
                int result = target_get_gdb_reg_list_noread(head->target, &reg_list,
                                &reg_list_size, reg_class);
                if (result != ERROR_OK) {
-                       free(*combined_list);
+                       free(local_list);
                        return result;
                }
                for (int i = 0; i < reg_list_size; i++) {
@@ -2296,8 +2296,8 @@ static int smp_reg_list_noread(struct target *target,
                                /* Nested loop makes this O(n^2), but this entire function with
                                 * 5 RISC-V targets takes just 2ms on my computer. Fast enough
                                 * for me. */
-                               for (int j = 0; j < *combined_list_size; j++) {
-                                       struct reg *b = (*combined_list)[j];
+                               for (unsigned int j = 0; j < local_list_size; j++) {
+                                       struct reg *b = local_list[j];
                                        if (!strcmp(a->name, b->name)) {
                                                found = true;
                                                if (a->size != b->size) {
@@ -2305,7 +2305,7 @@ static int smp_reg_list_noread(struct target *target,
                                                                        "target, but %d bits on another target.",
                                                                        a->name, a->size, b->size);
                                                        free(reg_list);
-                                                       free(*combined_list);
+                                                       free(local_list);
                                                        return ERROR_FAIL;
                                                }
                                                break;
@@ -2313,16 +2313,16 @@ static int smp_reg_list_noread(struct target *target,
                                }
                                if (!found) {
                                        LOG_DEBUG("[%s] %s not found in combined list", target_name(target), a->name);
-                                       if (*combined_list_size >= (int) combined_allocated) {
+                                       if (local_list_size >= combined_allocated) {
                                                combined_allocated *= 2;
-                                               *combined_list = realloc(*combined_list, combined_allocated * sizeof(struct reg *));
-                                               if (*combined_list == NULL) {
+                                               local_list = realloc(local_list, combined_allocated * sizeof(struct reg *));
+                                               if (!local_list) {
                                                        LOG_ERROR("realloc(%zu) failed", combined_allocated * sizeof(struct reg *));
                                                        return ERROR_FAIL;
                                                }
                                        }
-                                       (*combined_list)[*combined_list_size] = a;
-                                       (*combined_list_size)++;
+                                       local_list[local_list_size] = a;
+                                       local_list_size++;
                                }
                        }
                }
@@ -2336,12 +2336,12 @@ static int smp_reg_list_noread(struct target *target,
                int result = target_get_gdb_reg_list_noread(head->target, &reg_list,
                                &reg_list_size, reg_class);
                if (result != ERROR_OK) {
-                       free(*combined_list);
+                       free(local_list);
                        return result;
                }
-               for (int i = 0; i < *combined_list_size; i++) {
+               for (unsigned int i = 0; i < local_list_size; i++) {
                        bool found = false;
-                       struct reg *a = (*combined_list)[i];
+                       struct reg *a = local_list[i];
                        for (int j = 0; j < reg_list_size; j++) {
                                struct reg *b = reg_list[j];
                                if (b->exist && !strcmp(a->name, b->name)) {
@@ -2358,6 +2358,8 @@ static int smp_reg_list_noread(struct target *target,
                free(reg_list);
        }
 
+       *combined_list = local_list;
+       *combined_list_size = local_list_size;
        return ERROR_OK;
 }
 
Open On-Chip Debugger

Linking to existing account procedure

If you already have an account and want to add another login method you MUST first sign in with your existing account and then change URL to read https://review.openocd.org/login/?link to get to this page again but this time it'll work for linking. Thank you.

SSH host keys fingerprints

1024 SHA256:YKx8b7u5ZWdcbp7/4AeXNaqElP49m6QrwfXaqQGJAOk gerrit-code-review@openocd.zylin.com (DSA)
384 SHA256:jHIbSQa4REvwCFG4cq5LBlBLxmxSqelQPem/EXIrxjk gerrit-code-review@openocd.org (ECDSA)
521 SHA256:UAOPYkU9Fjtcao0Ul/Rrlnj/OsQvt+pgdYSZ4jOYdgs gerrit-code-review@openocd.org (ECDSA)
256 SHA256:A13M5QlnozFOvTllybRZH6vm7iSt0XLxbA48yfc2yfY gerrit-code-review@openocd.org (ECDSA)
256 SHA256:spYMBqEYoAOtK7yZBrcwE8ZpYt6b68Cfh9yEVetvbXg gerrit-code-review@openocd.org (ED25519)
+--[ED25519 256]--+
|=..              |
|+o..   .         |
|*.o   . .        |
|+B . . .         |
|Bo. = o S        |
|Oo.+ + =         |
|oB=.* = . o      |
| =+=.+   + E     |
|. .=o   . o      |
+----[SHA256]-----+
2048 SHA256:0Onrb7/PHjpo6iVZ7xQX2riKN83FJ3KGU0TvI0TaFG4 gerrit-code-review@openocd.zylin.com (RSA)