[U-Boot] [PATCH v2 0/6] handle compression buffer overflows

Simon Glass sjg at chromium.org
Thu Aug 29 01:27:19 CEST 2013 

Hi Kees,

On Wed, Aug 28, 2013 at 12:13 PM, Kees Cook <keescook at chromium.org> wrote:
> Hi,
>
> Can someone commit this series? It's been fully acked now...

I'm happy to pull these in for Tom.

I see a few warnings when I run buildman:

$ ./tools/buildman/buildman -b us-kees sandbox -se
Summary of 7 commits for 1 boards (1 thread, 32 jobs per thread)
01: omap5: Correct include order, drop CONFIG_SYS_PROMPT define
02: sandbox: add compression tests
   sandbox: +   sandbox
+cmd_bootm.c: In function ‘bootm_load_os’:
+cmd_bootm.c:443:11: warning: passing argument 4 of ‘lzop_decompress’
from incompatible pointer type [enabled by default]
+/usr/local/google/c/cosarm/src/third_party/u-boot/us-kees/.bm-work/00/include/linux/lzo.h:31:5:
note: expected ‘size_t *’ but argument is of type ‘uint *’
+cmd_ximg.c: In function ‘do_imgextract’:
+cmd_ximg.c:225:6: warning: cast to pointer from integer of different
size [-Wint-to-pointer-cast]
+cmd_ximg.c:225:14: warning: ‘hdr’ may be used uninitialized in this
function [-Wuninitialized]
03: documentation: add more compression configs
04: gzip: correctly bounds-check output buffer
05: lzma: correctly bounds-check output buffer
06: lzo: correctly bounds-check output buffer
07: bootm: allow correct bounds-check of destination

I believe these are pre-existing, but didn't happen for sandbox since
it was not enabling these options, but could you please create a patch
to fix these that we can apply first?

To build for sandbox: 'make sandbox_config; make'

Regards,
Simon

>
> Thanks,
>
> -Kees
>
> On Fri, Aug 16, 2013 at 7:59 AM, Kees Cook <keescook at chromium.org> wrote:
>> v2: added acks, various suggested cleanups
>>
>> This series fixes gzip, lzma, and lzo to not overflow when writing
>> to output buffers. Without this, it might be possible for untrusted
>> compressed input to overflow the buffers used to hold the decompressed
>> image.
>>
>> To catch these conditions, I added a series of compression tests available
>> in the sandbox build. Without the fixes in patches 3, 4, and 5, the
>> overflows are visible.
>>
>> Thanks,
>>
>> -Kees
>>
>> Kees Cook (6):
>>       sandbox: add compression tests
>>       documentation: add more compression configs
>>       gzip: correctly bounds-check output buffer
>>       lzma: correctly bounds-check output buffer
>>       lzo: correctly bounds-check output buffer
>>       bootm: allow correct bounds-check of destination
>>
>>  README                     |    9 ++
>>  common/cmd_bootm.c         |    2 +-
>>  include/configs/sandbox.h  |    5 +
>>  lib/gunzip.c               |    4 +-
>>  lib/lzma/LzmaTools.c       |    8 +-
>>  lib/lzo/lzo1x_decompress.c |    8 +-
>>  test/Makefile              |    1 +
>>  test/compression.c         |  335 ++++++++++++++++++++++++++++++++++++++++++++
>>  8 files changed, 366 insertions(+), 6 deletions(-)
>>  create mode 100644 test/compression.c
>>
>> _______________________________________________
>> U-Boot mailing list
>> U-Boot at lists.denx.de
>> http://lists.denx.de/mailman/listinfo/u-boot
>
>
>
> --
> Kees Cook
> Chrome OS Security

More information about the U-Boot mailing list