Bug #496: Missing malloc check in libpayload - coreboot - Issue Tracker

Actions

Copy link

Bug #496

open

Missing malloc check in libpayload

Added by Keith Makan 10 months ago. Updated 9 months ago.

Status:

New

Priority:

Normal

Assignee:

Category:

Payloads

Target version:

none

Start date:

06/27/2023

Due date:

% Done:

Estimated time:

Affected versions:

4.21

Needs backport to:

Affected hardware:

ALL

Affected OS:

ALL

Description

libpayload in payload/libpayload/drivers/options.c::get_option_as_string does not issue a NULL check against malloc's return code.
Should there be a NOMEM error this may result in a NULL pointer deref or crash.

The following code extract illustrates the mentioned issue:
`
int get_option_as_string(const struct nvram_accessor *nvram, struct cb_cmos_option_table *option_table, char **dest, const char *name)
{
...

/* extra byte to ensure 0-terminated strings */
raw = malloc(cmos_length+1);
memset(raw, 0, cmos_length+1); <--- no check against malloc's return code

Actions

Copy link

Updated by Martin Roth 9 months ago

Category set to Payloads

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

coreboot

Bug #496

Missing malloc check in libpayload

Updated by Martin Roth 9 months ago