[U-Boot] Prevent null pointer dereference originating in cmd_pxe.c
Tom Rini
trini at ti.com
Tue Oct 15 02:21:13 CEST 2013
On Mon, Oct 07, 2013 at 09:51:48AM -0400, Steven Falco wrote:
> Pass a valid cmdtp into do_tftpb(), do_ext2load(), and do_get_fat(), to avoid
> possible crashes due to null pointer dereferencing.
>
> Signed-off-by: Steven A. Falco <stevenfalco at gmail.com>
>
> ---
> > This doesn't apply cleanly, nor with --ignore-whitespace for me. Can
> > you please re-check and re-send the patch? Thanks.
>
> Sorry - I've been having trouble getting Thunderbird to leave my text
> alone. There was some insane "flowed text" setting that I just discovered
> and disabled.
>
> I think I've got it right now. I'll download this email from the list
> after I post it, and do a diff to be sure.
>
> Commit d7884e047d08447dfd1374e9fa2fdf7ab36e56f5 does not go far enough. There
> is still at least one call chain that can result in a crash.
>
> The do_tftpb(), do_ext2load(), and do_get_fat() functions expect a valid cmdtp.
> Passing in NULL is particularly bad in the do_tftpb() case, because eventually
> boot_get_kernel() will be called with a NULL cmdtp:
>
> do_tftpb() -> netboot_common() -> bootm_maybe_autostart() -> do_bootm() ->
> do_bootm_states() -> bootm_find_os() -> boot_get_kernel()
>
> Around line 991 in cmd_bootm.c, boot_get_kernel() will dereference the null
> pointer, and the board will crash.
With a reworded commit message to include more details, applied to
u-boot/master, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20131014/4efcdc3b/attachment.pgp>
More information about the U-Boot
mailing list