[U-Boot] Prevent null pointer dereference originating in cmd_pxe.c

Steven Falco stevenfalco at gmail.com
Mon Oct 7 15:51:48 CEST 2013


Pass a valid cmdtp into do_tftpb(), do_ext2load(), and do_get_fat(), to avoid
possible crashes due to null pointer dereferencing.

Signed-off-by: Steven A. Falco <stevenfalco at gmail.com>

---

> This doesn't apply cleanly, nor with --ignore-whitespace for me.  Can
> you please re-check and re-send the patch?  Thanks.

Sorry - I've been having trouble getting Thunderbird to leave my text
alone.  There was some insane "flowed text" setting that I just discovered
and disabled.

I think I've got it right now.  I'll download this email from the list
after I post it, and do a diff to be sure.

Commit d7884e047d08447dfd1374e9fa2fdf7ab36e56f5 does not go far enough.  There
is still at least one call chain that can result in a crash.

The do_tftpb(), do_ext2load(), and do_get_fat() functions expect a valid cmdtp.
Passing in NULL is particularly bad in the do_tftpb() case, because eventually
boot_get_kernel() will be called with a NULL cmdtp:

do_tftpb() -> netboot_common() -> bootm_maybe_autostart() -> do_bootm() ->
do_bootm_states() -> bootm_find_os() -> boot_get_kernel()

Around line 991 in cmd_bootm.c, boot_get_kernel() will dereference the null
pointer, and the board will crash.

diff --git a/common/cmd_pxe.c b/common/cmd_pxe.c
index c5f4a22..79d3a06 100644
--- a/common/cmd_pxe.c
+++ b/common/cmd_pxe.c
@@ -114,16 +114,16 @@ static int get_bootfile_path(const char *file_path, char *bootfile_path,
 	return 1;
 }
 
-static int (*do_getfile)(const char *file_path, char *file_addr);
+static int (*do_getfile)(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr);
 
-static int do_get_tftp(const char *file_path, char *file_addr)
+static int do_get_tftp(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr)
 {
 	char *tftp_argv[] = {"tftp", NULL, NULL, NULL};
 
 	tftp_argv[1] = file_addr;
 	tftp_argv[2] = (void *)file_path;
 
-	if (do_tftpb(NULL, 0, 3, tftp_argv))
+	if (do_tftpb(cmdtp, 0, 3, tftp_argv))
 		return -ENOENT;
 
 	return 1;
@@ -131,27 +131,27 @@ static int do_get_tftp(const char *file_path, char *file_addr)
 
 static char *fs_argv[5];
 
-static int do_get_ext2(const char *file_path, char *file_addr)
+static int do_get_ext2(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr)
 {
 #ifdef CONFIG_CMD_EXT2
 	fs_argv[0] = "ext2load";
 	fs_argv[3] = file_addr;
 	fs_argv[4] = (void *)file_path;
 
-	if (!do_ext2load(NULL, 0, 5, fs_argv))
+	if (!do_ext2load(cmdtp, 0, 5, fs_argv))
 		return 1;
 #endif
 	return -ENOENT;
 }
 
-static int do_get_fat(const char *file_path, char *file_addr)
+static int do_get_fat(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr)
 {
 #ifdef CONFIG_CMD_FAT
 	fs_argv[0] = "fatload";
 	fs_argv[3] = file_addr;
 	fs_argv[4] = (void *)file_path;
 
-	if (!do_fat_fsload(NULL, 0, 5, fs_argv))
+	if (!do_fat_fsload(cmdtp, 0, 5, fs_argv))
 		return 1;
 #endif
 	return -ENOENT;
@@ -165,7 +165,7 @@ static int do_get_fat(const char *file_path, char *file_addr)
  *
  * Returns 1 for success, or < 0 on error.
  */
-static int get_relfile(const char *file_path, void *file_addr)
+static int get_relfile(cmd_tbl_t *cmdtp, const char *file_path, void *file_addr)
 {
 	size_t path_len;
 	char relfile[MAX_TFTP_PATH_LEN+1];
@@ -194,7 +194,7 @@ static int get_relfile(const char *file_path, void *file_addr)
 
 	sprintf(addr_buf, "%p", file_addr);
 
-	return do_getfile(relfile, addr_buf);
+	return do_getfile(cmdtp, relfile, addr_buf);
 }
 
 /*
@@ -204,13 +204,13 @@ static int get_relfile(const char *file_path, void *file_addr)
  *
  * Returns 1 on success, or < 0 for error.
  */
-static int get_pxe_file(const char *file_path, void *file_addr)
+static int get_pxe_file(cmd_tbl_t *cmdtp, const char *file_path, void *file_addr)
 {
 	unsigned long config_file_size;
 	char *tftp_filesize;
 	int err;
 
-	err = get_relfile(file_path, file_addr);
+	err = get_relfile(cmdtp, file_path, file_addr);
 
 	if (err < 0)
 		return err;
@@ -241,7 +241,7 @@ static int get_pxe_file(const char *file_path, void *file_addr)
  *
  * Returns 1 on success or < 0 on error.
  */
-static int get_pxelinux_path(const char *file, void *pxefile_addr_r)
+static int get_pxelinux_path(cmd_tbl_t *cmdtp, const char *file, void *pxefile_addr_r)
 {
 	size_t base_len = strlen(PXELINUX_DIR);
 	char path[MAX_TFTP_PATH_LEN+1];
@@ -254,7 +254,7 @@ static int get_pxelinux_path(const char *file, void *pxefile_addr_r)
 
 	sprintf(path, PXELINUX_DIR "%s", file);
 
-	return get_pxe_file(path, pxefile_addr_r);
+	return get_pxe_file(cmdtp, path, pxefile_addr_r);
 }
 
 /*
@@ -262,7 +262,7 @@ static int get_pxelinux_path(const char *file, void *pxefile_addr_r)
  *
  * Returns 1 on success or < 0 on error.
  */
-static int pxe_uuid_path(void *pxefile_addr_r)
+static int pxe_uuid_path(cmd_tbl_t *cmdtp, void *pxefile_addr_r)
 {
 	char *uuid_str;
 
@@ -271,7 +271,7 @@ static int pxe_uuid_path(void *pxefile_addr_r)
 	if (!uuid_str)
 		return -ENOENT;
 
-	return get_pxelinux_path(uuid_str, pxefile_addr_r);
+	return get_pxelinux_path(cmdtp, uuid_str, pxefile_addr_r);
 }
 
 /*
@@ -280,7 +280,7 @@ static int pxe_uuid_path(void *pxefile_addr_r)
  *
  * Returns 1 on success or < 0 on error.
  */
-static int pxe_mac_path(void *pxefile_addr_r)
+static int pxe_mac_path(cmd_tbl_t *cmdtp, void *pxefile_addr_r)
 {
 	char mac_str[21];
 	int err;
@@ -290,7 +290,7 @@ static int pxe_mac_path(void *pxefile_addr_r)
 	if (err < 0)
 		return err;
 
-	return get_pxelinux_path(mac_str, pxefile_addr_r);
+	return get_pxelinux_path(cmdtp, mac_str, pxefile_addr_r);
 }
 
 /*
@@ -300,7 +300,7 @@ static int pxe_mac_path(void *pxefile_addr_r)
  *
  * Returns 1 on success or < 0 on error.
  */
-static int pxe_ipaddr_paths(void *pxefile_addr_r)
+static int pxe_ipaddr_paths(cmd_tbl_t *cmdtp, void *pxefile_addr_r)
 {
 	char ip_addr[9];
 	int mask_pos, err;
@@ -308,7 +308,7 @@ static int pxe_ipaddr_paths(void *pxefile_addr_r)
 	sprintf(ip_addr, "%08X", ntohl(NetOurIP));
 
 	for (mask_pos = 7; mask_pos >= 0;  mask_pos--) {
-		err = get_pxelinux_path(ip_addr, pxefile_addr_r);
+		err = get_pxelinux_path(cmdtp, ip_addr, pxefile_addr_r);
 
 		if (err > 0)
 			return err;
@@ -359,16 +359,16 @@ do_pxe_get(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 	 * Keep trying paths until we successfully get a file we're looking
 	 * for.
 	 */
-	if (pxe_uuid_path((void *)pxefile_addr_r) > 0 ||
-	    pxe_mac_path((void *)pxefile_addr_r) > 0 ||
-	    pxe_ipaddr_paths((void *)pxefile_addr_r) > 0) {
+	if (pxe_uuid_path(cmdtp, (void *)pxefile_addr_r) > 0 ||
+	    pxe_mac_path(cmdtp, (void *)pxefile_addr_r) > 0 ||
+	    pxe_ipaddr_paths(cmdtp, (void *)pxefile_addr_r) > 0) {
 		printf("Config file found\n");
 
 		return 0;
 	}
 
 	while (pxe_default_paths[i]) {
-		if (get_pxelinux_path(pxe_default_paths[i],
+		if (get_pxelinux_path(cmdtp, pxe_default_paths[i],
 				      (void *)pxefile_addr_r) > 0) {
 			printf("Config file found\n");
 			return 0;
@@ -388,7 +388,7 @@ do_pxe_get(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
  *
  * Returns 1 on success or < 0 on error.
  */
-static int get_relfile_envaddr(const char *file_path, const char *envaddr_name)
+static int get_relfile_envaddr(cmd_tbl_t *cmdtp, const char *file_path, const char *envaddr_name)
 {
 	unsigned long file_addr;
 	char *envaddr;
@@ -401,7 +401,7 @@ static int get_relfile_envaddr(const char *file_path, const char *envaddr_name)
 	if (strict_strtoul(envaddr, 16, &file_addr) < 0)
 		return -EINVAL;
 
-	return get_relfile(file_path, (void *)file_addr);
+	return get_relfile(cmdtp, file_path, (void *)file_addr);
 }
 
 /*
@@ -599,7 +599,7 @@ static int label_boot(cmd_tbl_t *cmdtp, struct pxe_label *label)
 	}
 
 	if (label->initrd) {
-		if (get_relfile_envaddr(label->initrd, "ramdisk_addr_r") < 0) {
+		if (get_relfile_envaddr(cmdtp, label->initrd, "ramdisk_addr_r") < 0) {
 			printf("Skipping %s for failure retrieving initrd\n",
 					label->name);
 			return 1;
@@ -613,7 +613,7 @@ static int label_boot(cmd_tbl_t *cmdtp, struct pxe_label *label)
 		bootm_argv[2] = "-";
 	}
 
-	if (get_relfile_envaddr(label->kernel, "kernel_addr_r") < 0) {
+	if (get_relfile_envaddr(cmdtp, label->kernel, "kernel_addr_r") < 0) {
 		printf("Skipping %s for failure retrieving kernel\n",
 				label->name);
 		return 1;
@@ -673,7 +673,7 @@ static int label_boot(cmd_tbl_t *cmdtp, struct pxe_label *label)
 
 	/* if fdt label is defined then get fdt from server */
 	if (bootm_argv[3] && label->fdt) {
-		if (get_relfile_envaddr(label->fdt, "fdt_addr_r") < 0) {
+		if (get_relfile_envaddr(cmdtp, label->fdt, "fdt_addr_r") < 0) {
 			printf("Skipping %s for failure retrieving fdt\n",
 					label->name);
 			return 1;
@@ -950,7 +950,7 @@ static int parse_integer(char **c, int *dst)
 	return 1;
 }
 
-static int parse_pxefile_top(char *p, struct pxe_menu *cfg, int nest_level);
+static int parse_pxefile_top(cmd_tbl_t *cmdtp, char *p, struct pxe_menu *cfg, int nest_level);
 
 /*
  * Parse an include statement, and retrieve and parse the file it mentions.
@@ -960,7 +960,7 @@ static int parse_pxefile_top(char *p, struct pxe_menu *cfg, int nest_level);
  * include, nest_level has already been incremented and doesn't need to be
  * incremented here.
  */
-static int handle_include(char **c, char *base,
+static int handle_include(cmd_tbl_t *cmdtp, char **c, char *base,
 				struct pxe_menu *cfg, int nest_level)
 {
 	char *include_path;
@@ -975,14 +975,14 @@ static int handle_include(char **c, char *base,
 		return err;
 	}
 
-	err = get_pxe_file(include_path, base);
+	err = get_pxe_file(cmdtp, include_path, base);
 
 	if (err < 0) {
 		printf("Couldn't retrieve %s\n", include_path);
 		return err;
 	}
 
-	return parse_pxefile_top(base, cfg, nest_level);
+	return parse_pxefile_top(cmdtp, base, cfg, nest_level);
 }
 
 /*
@@ -995,7 +995,7 @@ static int handle_include(char **c, char *base,
  * nest_level should be 1 when parsing the top level pxe file, 2 when parsing
  * a file it includes, 3 when parsing a file included by that file, and so on.
  */
-static int parse_menu(char **c, struct pxe_menu *cfg, char *b, int nest_level)
+static int parse_menu(cmd_tbl_t *cmdtp, char **c, struct pxe_menu *cfg, char *b, int nest_level)
 {
 	struct token t;
 	char *s = *c;
@@ -1010,7 +1010,7 @@ static int parse_menu(char **c, struct pxe_menu *cfg, char *b, int nest_level)
 		break;
 
 	case T_INCLUDE:
-		err = handle_include(c, b + strlen(b) + 1, cfg,
+		err = handle_include(cmdtp, c, b + strlen(b) + 1, cfg,
 						nest_level + 1);
 		break;
 
@@ -1172,7 +1172,7 @@ static int parse_label(char **c, struct pxe_menu *cfg)
  *
  * Returns 1 on success, < 0 on error.
  */
-static int parse_pxefile_top(char *p, struct pxe_menu *cfg, int nest_level)
+static int parse_pxefile_top(cmd_tbl_t *cmdtp, char *p, struct pxe_menu *cfg, int nest_level)
 {
 	struct token t;
 	char *s, *b, *label_name;
@@ -1194,7 +1194,7 @@ static int parse_pxefile_top(char *p, struct pxe_menu *cfg, int nest_level)
 		switch (t.type) {
 		case T_MENU:
 			cfg->prompt = 1;
-			err = parse_menu(&p, cfg, b, nest_level);
+			err = parse_menu(cmdtp, &p, cfg, b, nest_level);
 			break;
 
 		case T_TIMEOUT:
@@ -1219,7 +1219,7 @@ static int parse_pxefile_top(char *p, struct pxe_menu *cfg, int nest_level)
 			break;
 
 		case T_INCLUDE:
-			err = handle_include(&p, b + ALIGN(strlen(b), 4), cfg,
+			err = handle_include(cmdtp, &p, b + ALIGN(strlen(b), 4), cfg,
 							nest_level + 1);
 			break;
 
@@ -1276,7 +1276,7 @@ static void destroy_pxe_menu(struct pxe_menu *cfg)
  * files it includes). The resulting pxe_menu struct can be free()'d by using
  * the destroy_pxe_menu() function.
  */
-static struct pxe_menu *parse_pxefile(char *menucfg)
+static struct pxe_menu *parse_pxefile(cmd_tbl_t *cmdtp, char *menucfg)
 {
 	struct pxe_menu *cfg;
 
@@ -1289,7 +1289,7 @@ static struct pxe_menu *parse_pxefile(char *menucfg)
 
 	INIT_LIST_HEAD(&cfg->labels);
 
-	if (parse_pxefile_top(menucfg, cfg, 1) < 0) {
+	if (parse_pxefile_top(cmdtp, menucfg, cfg, 1) < 0) {
 		destroy_pxe_menu(cfg);
 		return NULL;
 	}
@@ -1446,7 +1446,7 @@ do_pxe_boot(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 		return 1;
 	}
 
-	cfg = parse_pxefile((char *)(pxefile_addr_r));
+	cfg = parse_pxefile(cmdtp, (char *)(pxefile_addr_r));
 
 	if (cfg == NULL) {
 		printf("Error parsing config file\n");
@@ -1544,12 +1544,12 @@ int do_sysboot(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 		return 1;
 	}
 
-	if (get_pxe_file(filename, (void *)pxefile_addr_r) < 0) {
+	if (get_pxe_file(cmdtp, filename, (void *)pxefile_addr_r) < 0) {
 		printf("Error reading config file\n");
 		return 1;
 	}
 
-	cfg = parse_pxefile((char *)(pxefile_addr_r));
+	cfg = parse_pxefile(cmdtp, (char *)(pxefile_addr_r));
 
 	if (cfg == NULL) {
 		printf("Error parsing config file\n");


More information about the U-Boot mailing list