From 30b87356f09dd2508e555a4296847fe256794d7c Mon Sep 17 00:00:00 2001
From: Angel Pons <th3fanbus@gmail.com>
Date: Mon, 19 Oct 2020 14:20:36 +0200
Subject: [PATCH] it87spi.c: Prevent use-after-free bug

The memory for the `param` string is aliased by `dualbiosindex_suffix`.
Moreover, `errno` could have been modified by the call to `free()`.
Therefore, only free the former when there are no more uses of either.

Change-Id: I79f18f6077c77c0cbb8bfa431e17f9b079f11c95
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/46551
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/67841
Reviewed-by: Felix Singer <felixsinger@posteo.net>
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
---
 it87spi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/it87spi.c b/it87spi.c
index 0a1e8942f..a2188fc61 100644
--- a/it87spi.c
+++ b/it87spi.c
@@ -139,12 +139,13 @@ static uint16_t it87spi_probe(uint16_t port)
 			char *dualbiosindex_suffix;
 			errno = 0;
 			long chip_index = strtol(param, &dualbiosindex_suffix, 0);
-			free(param);
 			if (errno != 0 || *dualbiosindex_suffix != '\0' || chip_index < 0 || chip_index > 1) {
 				msg_perr("DualBIOS: Invalid chip index requested - choose 0 or 1.\n");
+				free(param);
 				exit_conf_mode_ite(port);
 				return 1;
 			}
+			free(param);
 			if (chip_index != (tmp & 1)) {
 				msg_pdbg("DualBIOS: Previous chip index: %d\n", tmp & 1);
 				sio_write(port, 0xEF, (tmp & 0xFE) | chip_index);