[PATCH 1/2] test: self: malloc: fix double free after expect_alloc_fail
Ahmad Fatoum
a.fatoum at pengutronix.de
Tue Oct 21 07:54:13 PDT 2025
If the realloc call unexpectedly succeeds, the p pointer is invalidated,
but it's free'd unconditionally later on, which triggers a
user-after-free.
Account for this by zeroing p when it becomes stale.
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
test/self/malloc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/test/self/malloc.c b/test/self/malloc.c
index 52f9fc344c1a..a60e95b2233f 100644
--- a/test/self/malloc.c
+++ b/test/self/malloc.c
@@ -109,9 +109,15 @@ static void test_malloc(void)
if (mem_malloc_size) {
tmp = expect_alloc_fail(realloc(p, mem_malloc_size));
+ if (tmp)
+ p = NULL;
+
free(tmp);
tmp = expect_alloc_fail(realloc(p, RELOC_HIDE(MALLOC_MAX_SIZE, -1)));
+ if (tmp)
+ p = NULL;
+
free(tmp);
} else {
skipped_tests += 2;
--
2.47.3
More information about the barebox
mailing list