mirror of
https://gitlab.com/cryptsetup/cryptsetup.git
synced 2025-12-15 21:00:05 +01:00
44d5269c0a
It is possible to trigger a double free with an invalid verity partition. All it takes is an unknown hash algorithm, which makes it a bit more likely than a completely broken partition header. But all it takes is an error return value of VERITY_read_sb() or strdup(). If crypt_load fails before setting cd->type, crypt_free will handle the union as if it was of type "none", which means it will call free() for "active_name", a field which is only properly set up when the type was actually "none". In all other cases, "active_name" contains the first 4 or 8 bytes of the actually used header structure. Fortunately it can be only a pointer or NULL, so an attacker has no direct control of the value. Nonetheless it can easily trigger a double free. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>