[coreboot-gerrit] New patch to review for coreboot: 75040b9 libpayload: fix use-after-free in usb_exit()

Mathias Krause (minipli@googlemail.com) gerrit at coreboot.org
Mon Mar 25 12:10:23 CET 2013


Mathias Krause (minipli at googlemail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/2900

-gerrit

commit 75040b90c9a403905312d3f90636b606e6e5ecaf
Author: Mathias Krause <minipli at googlemail.com>
Date:   Sun Mar 24 19:40:02 2013 +0100

    libpayload: fix use-after-free in usb_exit()
    
    The controller's shutdown function free()s the controller structure so
    we shouldn't access it any more after calling shutdown.
    
    As all controllers detach themself, i.e. unchain themself from usb_hcs,
    just keep iterating over usb_hcs until it's NULL.
    
    Change-Id: Ie85caba0f685494c3fe04c550a5a14bc4158a94e
    Signed-off-by: Mathias Krause <minipli at googlemail.com>
---
 payloads/libpayload/drivers/usb/usb.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/payloads/libpayload/drivers/usb/usb.c b/payloads/libpayload/drivers/usb/usb.c
index 0448d38..23561c4 100644
--- a/payloads/libpayload/drivers/usb/usb.c
+++ b/payloads/libpayload/drivers/usb/usb.c
@@ -74,12 +74,8 @@ detach_controller (hci_t *controller)
 int
 usb_exit (void)
 {
-	if (usb_hcs == 0)
-		return 0;
-	hci_t *controller = usb_hcs;
-	while (controller != NULL) {
-		controller->shutdown(controller);
-		controller = controller->next;
+	while (usb_hcs != NULL) {
+		usb_hcs->shutdown(usb_hcs);
 	}
 	return 0;
 }



More information about the coreboot-gerrit mailing list