[U-Boot] Strange CFI flash problem

Kees Cook keescook at chromium.org
Mon Apr 14 17:38:20 CEST 2014 

On Mon, Apr 14, 2014 at 1:51 AM, Matthias Weißer <weisserm at arcor.de> wrote:
> Am 14.04.2014 08:09, schrieb Matthias Weißer:
>
>> Hi Wolfgang
>>
>> Am 11.04.2014 12:43, schrieb Wolfgang Denk:
>>>
>>> Dear Matthias,
>>>
>>> In message <5347BBBC.9000806 at arcor.de> you wrote:
>>>>
>>>>
>>>> we are currently trying to get an out-of-tree board based on 2013.01
>>>> back in sync with current master and observing a strange behavior which
>>>> we think is located in the CFI flash system. If we load an image via
>>>> tftp, copy it to flash and then try to run the image via bootm we see an
>>>> error while decomressing:
>>>
>>> ...
>>>>
>>>>     Uncompressing Kernel Image ... LZO: uncompress or overwrite error -5
>>>
>>>
>>> Are you sure your malloc arena is big enough for LZO?  Try if
>>> increasing it helps...
>>
>>
>> We increaded it from 4MB to 8MB and the behavior is still the same.
>>
>> We also observed a different behavior when tftping the image to RAM and
>> then directly executing it without copying it to flash. It seems that
>> the flash device (EN29GL256H) is then in some a mode (maybe auto-select)
>> which prevents it from normal read operations which doesn't allow the
>> flash driver of the OS come up. We never saw this with our old u-boot.
>> If there are no ideas left we will have to bisect the problem.
>
>
> Bisecting was successfull. The commit introducing the problem is
>
> commit ff9d2efdbf1b3b5263f81e843c6724b8bead7f1f
> Author: Kees Cook <keescook at chromium.org>
> Date:   Fri Aug 16 07:59:15 2013 -0700
>
>     lzo: correctly bounds-check output buffer
>
>     This checks the size of the output buffer and fails if it was going to
>     overflow the buffer during lzo decompression.
>
>     Signed-off-by: Kees Cook <keescook at chromium.org>
>     Acked-by: Simon Glass <sjg at chromium.org>
>
> This commit introduced the usage of the dst_len output parameter as
> additional input parameter containing the maximum output buffer size. This
> parameter isn't initialized in cmd_bootm.c:
>
>  454 #ifdef CONFIG_LZO
>  455     case IH_COMP_LZO: {
>  456         size_t size;
>  457
>  458         printf("   Uncompressing %s ... ", type_name);
>  459
>  460         ret = lzop_decompress(image_buf, image_len, load_buf, &size);
>
> Setting size to some big value (SZE_MAX is not avialable) fixed the behavior
> but I am unsure if this is the correct solution. I think its hard to get the
> max output buffer size at this point in cmd_bootm.c.

Does this work?

---
From: Kees Cook <keescook at chromium.org>
Subject: [PATCH] bootm: set max output for LZO

The LZO decompressor wasn't initializing the maximum output size.

Reported-by: Matthias Weißer <weisserm at arcor.de>
Signed-off-by: Kees Cook <keescook at chromium.org>
---
 common/cmd_bootm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c
index 9751edc..c243a5b 100644
--- a/common/cmd_bootm.c
+++ b/common/cmd_bootm.c
@@ -453,7 +453,7 @@ static int bootm_load_os(bootm_headers_t *images,
unsigned long *load_end,
 #endif /* CONFIG_LZMA */
 #ifdef CONFIG_LZO
        case IH_COMP_LZO: {
-               size_t size;
+               size_t size = unc_len;

                printf("   Uncompressing %s ... ", type_name);

-- 
1.7.9.5



-- 
Kees Cook
Chrome OS Security

More information about the U-Boot mailing list