[U-Boot] [PATCH v2 0/6] handle compression buffer overflows
Simon Glass
sjg at chromium.org
Thu Aug 29 01:27:19 CEST 2013
Hi Kees,
On Wed, Aug 28, 2013 at 12:13 PM, Kees Cook <keescook at chromium.org> wrote:
> Hi,
>
> Can someone commit this series? It's been fully acked now...
I'm happy to pull these in for Tom.
I see a few warnings when I run buildman:
$ ./tools/buildman/buildman -b us-kees sandbox -se
Summary of 7 commits for 1 boards (1 thread, 32 jobs per thread)
01: omap5: Correct include order, drop CONFIG_SYS_PROMPT define
02: sandbox: add compression tests
sandbox: + sandbox
+cmd_bootm.c: In function ‘bootm_load_os’:
+cmd_bootm.c:443:11: warning: passing argument 4 of ‘lzop_decompress’
from incompatible pointer type [enabled by default]
+/usr/local/google/c/cosarm/src/third_party/u-boot/us-kees/.bm-work/00/include/linux/lzo.h:31:5:
note: expected ‘size_t *’ but argument is of type ‘uint *’
+cmd_ximg.c: In function ‘do_imgextract’:
+cmd_ximg.c:225:6: warning: cast to pointer from integer of different
size [-Wint-to-pointer-cast]
+cmd_ximg.c:225:14: warning: ‘hdr’ may be used uninitialized in this
function [-Wuninitialized]
03: documentation: add more compression configs
04: gzip: correctly bounds-check output buffer
05: lzma: correctly bounds-check output buffer
06: lzo: correctly bounds-check output buffer
07: bootm: allow correct bounds-check of destination
I believe these are pre-existing, but didn't happen for sandbox since
it was not enabling these options, but could you please create a patch
to fix these that we can apply first?
To build for sandbox: 'make sandbox_config; make'
Regards,
Simon
>
> Thanks,
>
> -Kees
>
> On Fri, Aug 16, 2013 at 7:59 AM, Kees Cook <keescook at chromium.org> wrote:
>> v2: added acks, various suggested cleanups
>>
>> This series fixes gzip, lzma, and lzo to not overflow when writing
>> to output buffers. Without this, it might be possible for untrusted
>> compressed input to overflow the buffers used to hold the decompressed
>> image.
>>
>> To catch these conditions, I added a series of compression tests available
>> in the sandbox build. Without the fixes in patches 3, 4, and 5, the
>> overflows are visible.
>>
>> Thanks,
>>
>> -Kees
>>
>> Kees Cook (6):
>> sandbox: add compression tests
>> documentation: add more compression configs
>> gzip: correctly bounds-check output buffer
>> lzma: correctly bounds-check output buffer
>> lzo: correctly bounds-check output buffer
>> bootm: allow correct bounds-check of destination
>>
>> README | 9 ++
>> common/cmd_bootm.c | 2 +-
>> include/configs/sandbox.h | 5 +
>> lib/gunzip.c | 4 +-
>> lib/lzma/LzmaTools.c | 8 +-
>> lib/lzo/lzo1x_decompress.c | 8 +-
>> test/Makefile | 1 +
>> test/compression.c | 335 ++++++++++++++++++++++++++++++++++++++++++++
>> 8 files changed, 366 insertions(+), 6 deletions(-)
>> create mode 100644 test/compression.c
>>
>> _______________________________________________
>> U-Boot mailing list
>> U-Boot at lists.denx.de
>> http://lists.denx.de/mailman/listinfo/u-boot
>
>
>
> --
> Kees Cook
> Chrome OS Security
More information about the U-Boot
mailing list