flash/nor/core: fix double-free crash with 'virtual' flash banks 04/4504/2
authorBohdan Tymkiv <bhdt@cypress.com>
Fri, 27 Apr 2018 12:37:28 +0000 (15:37 +0300)
committerTomas Vanek <vanekt@fbl.cz>
Tue, 5 Jun 2018 10:29:33 +0000 (11:29 +0100)
flash_bank structure of 'virtual' flash driver is a full copy of
the master flash_bank structure including bank->sectors and
bank->prot_blocks pointers. These pointers point to memory
locations allocated by the master driver and thus master driver
is responsible for deallocating them.
Do not free bank->sectors and bank->prot_blocks of 'virtual'
driver since they were already released by master flash driver.

Change-Id: I01f373d4adb3fc79e2724964926b9276442c5c52
Signed-off-by: Bohdan Tymkiv <bhdt@cypress.com>
Reviewed-on: http://openocd.zylin.com/4504
Tested-by: jenkins
Reviewed-by: Tomas Vanek <vanekt@fbl.cz>
src/flash/nor/core.c

index f05c68b..4941281 100644 (file)
@@ -188,9 +188,17 @@ void flash_free_all_banks(void)
                else
                        LOG_WARNING("Flash driver of %s does not support free_driver_priv()", bank->name);
 
+               /* For 'virtual' flash driver bank->sectors and bank->prot_blocks pointers are copied from
+                * master flash_bank structure. They point to memory locations allocated by master flash driver
+                * so master driver is responsible for releasing them.
+                * Avoid UB caused by double-free memory corruption if flash bank is 'virtual'. */
+
+               if (strcmp(bank->driver->name, "virtual") != 0) {
+                       free(bank->sectors);
+                       free(bank->prot_blocks);
+               }
+
                free(bank->name);
-               free(bank->sectors);
-               free(bank->prot_blocks);
                free(bank);
                bank = next;
        }