commit 7d08a85d38049d7d6ba450dac1d21b82683b390e
author Gary Bisson <bisson.gary@gmail.com> Wed Apr 02 16:42:19 2025 +0200
committer Mattijs Korpershoek <mkorpershoek@kernel.org> Thu Apr 10 10:03:21 2025 +0200
tree 857e756bc4f0b85575db3247e2e2d2009e1007b8
parent bd8e8e41af36c9c6f5cd89cae8055a530b01fd1f

bootstd: android: avoid possible null pointer dereference

- avb_slot_verify_data_free() doesn't check its data parameter
- out_data can be null if avb_slot_verify() fails to allocate memory

Signed-off-by: Gary Bisson <bisson.gary@gmail.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
Link: https://lore.kernel.org/r/20250402144219.1875067-1-bisson.gary@gmail.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@kernel.org>

boot/bootmeth_android.c

diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index a5a86b2..654ebfd 100644
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -455,7 +455,8 @@
 		if (result != AVB_SLOT_VERIFY_RESULT_OK) {
 			printf("Verification failed, reason: %s\n",
 			       str_avb_slot_error(result));
-			avb_slot_verify_data_free(out_data);
+			if (out_data)
+				avb_slot_verify_data_free(out_data);
 			return log_msg_ret("avb verify", -EIO);
 		}
 		boot_state = AVB_GREEN;
@@ -465,7 +466,8 @@
 		    result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION) {
 			printf("Unlocked verification failed, reason: %s\n",
 			       str_avb_slot_error(result));
-			avb_slot_verify_data_free(out_data);
+			if (out_data)
+				avb_slot_verify_data_free(out_data);
 			return log_msg_ret("avb verify unlocked", -EIO);
 		}
 		boot_state = AVB_ORANGE;