From 09fa1dc8b4c194410d2b4a4f97517b455a247c58 Mon Sep 17 00:00:00 2001 From: Jan Vaclav Date: Tue, 7 Apr 2026 13:17:16 +0200 Subject: [PATCH] initrd: fix use-after-free when multiple iBFT entries fail The error variable is declared outside the loop but freed with g_error_free() which does not reset the pointer to NULL. On the next iteration, g_set_error() sees a non-NULL *err (dangling pointer) and error->message dereferences freed memory. Use g_clear_error() instead which also resets the pointer. Found by Coverity (CID: USE_AFTER_FREE). Fixes: ecc074b2f8a6 ('initrd: add command line parser') Co-Authored-By: Claude Opus 4.6 (cherry picked from commit 33871478b7cfdf717eff14de1f2928874d9352e1) --- src/nm-initrd-generator/nmi-cmdline-reader.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nm-initrd-generator/nmi-cmdline-reader.c b/src/nm-initrd-generator/nmi-cmdline-reader.c index f9b0fa161b..5d91d15796 100644 --- a/src/nm-initrd-generator/nmi-cmdline-reader.c +++ b/src/nm-initrd-generator/nmi-cmdline-reader.c @@ -409,7 +409,7 @@ reader_read_all_connections_from_fw(Reader *reader, const char *sysfs_dir) if (!nmi_ibft_update_connection_from_nic(connection, nic, &error)) { _LOGW(LOGD_CORE, "Unable to merge iBFT configuration: %s", error->message); - g_error_free(error); + g_clear_error(&error); continue; }