[PATCH v2 1/2] state: do not panic on flipped bits in on-disk sizes

Ahmad Fatoum a.fatoum at pengutronix.de
Thu Aug 21 13:46:57 PDT 2025 

We allocate some buffers with a size that's ultimately dictated by
on-disk metadata. This metadata can be incorrect and state is supposed
to handle that by storing the data redundantly in three buckets.

Due to the use of x-family functions, we triggered a panic though, which
made an unfortunate bitflip an irrecoverable error.

Fix this by switching the allocations in question to non-panicking ones
and propagating the error. This issue has been detected by libfuzzer.

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
v1 -> v2:
  - also check for zero byte allocations
---
 common/state/backend_bucket_circular.c | 10 ++++++----
 common/state/backend_bucket_direct.c   |  6 +++---
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/common/state/backend_bucket_circular.c b/common/state/backend_bucket_circular.c
index 6b5873aa9af1..9fe38bc9c508 100644
--- a/common/state/backend_bucket_circular.c
+++ b/common/state/backend_bucket_circular.c
@@ -265,9 +265,9 @@ static int state_backend_bucket_circular_read(struct state_backend_storage_bucke
 		offset = circ->write_area - read_len;
 	}
 
-	buf = xmalloc(read_len);
-	if (!buf)
-		return -ENOMEM;
+	buf = malloc(read_len);
+	if (ZERO_OR_NULL_PTR(buf))
+		return buf ? -EINVAL : -ENOMEM;
 
 	dev_dbg(circ->dev, "Read state from PEB %u global offset %lld length %zd\n",
 		circ->eraseblock, (long long) offset, read_len);
@@ -311,7 +311,9 @@ static int state_backend_bucket_circular_write(struct state_backend_storage_buck
 	 * We need zero initialization so that our data comparisons don't show
 	 * random changes
 	 */
-	write_buf = xzalloc(written_length);
+	write_buf = calloc(1, written_length);
+	if (ZERO_OR_NULL_PTR(write_buf))
+		return write_buf ? -EINVAL : -ENOMEM;
 
 	memcpy(write_buf, buf, len);
 	meta = (struct state_backend_storage_bucket_circular_meta *)
diff --git a/common/state/backend_bucket_direct.c b/common/state/backend_bucket_direct.c
index 03c752d6fe41..2ee0c7184193 100644
--- a/common/state/backend_bucket_direct.c
+++ b/common/state/backend_bucket_direct.c
@@ -92,9 +92,9 @@ static int state_backend_bucket_direct_read(struct state_backend_storage_bucket
 
 	}
 
-	buf = xmalloc(read_len);
-	if (!buf)
-		return -ENOMEM;
+	buf = malloc(read_len);
+	if (ZERO_OR_NULL_PTR(buf))
+		return buf ? -EINVAL : -ENOMEM;
 
 	dev_dbg(direct->dev, "Read state from %lld length %d\n", (long long) direct->offset,
 		header_len + read_len);
-- 
2.39.5

More information about the barebox mailing list