Re: [PATCH v6] hw/core/loader-fit: fix freeing errp in fit_load_fdt

[Markus Armbruster]

Vladimir Sementsov-Ogievskiy <vsement...@virtuozzo.com> writes:

> fit_load_fdt forget to check that errp is not NULL and to zero it after
> freeing. Fix it.
>
> Signed-off-by: Vladimir Sementsov-Ogievskiy <vsement...@virtuozzo.com>
> Reviewed-by: Eric Blake <ebl...@redhat.com>
> ---
>  hw/core/loader-fit.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/hw/core/loader-fit.c b/hw/core/loader-fit.c
> index 953b16bc82..3ee9fb2f2e 100644
> --- a/hw/core/loader-fit.c
> +++ b/hw/core/loader-fit.c
> @@ -200,7 +200,10 @@ static int fit_load_fdt(const struct fit_loader *ldr, 
> const void *itb,
>      err = fit_image_addr(itb, img_off, "load", &load_addr, errp);
>      if (err == -ENOENT) {
>          load_addr = ROUND_UP(kernel_end, 64 * KiB) + (10 * MiB);
> -        error_free(*errp);
> +        if (errp) {
> +            error_free(*errp);
> +            *errp = NULL;
> +        }
>      } else if (err) {
>          error_prepend(errp, "unable to read FDT load address from FIT: ");
>          ret = err;

This fixes latent bugs when fit_image_addr() fails with ENOENT:

* If a caller passes a null @errp, we crash dereferencing it

* Else, we pass a dangling Error * to the caller, and return success.
  If a caller dereferences the Error * regardless, we have a
  use-after-free.

Not fixed:

* If a caller passes &error_abort or &error_fatal, we die instead of
  taking the recovery path.

We need to use a local_err here.

I'll search for the pattern, and post fix(es).