[U-Boot] tools: mkimage: Use fstat instead of stat to avoid malicious hacks

Tom Rini trini at konsulko.com
Mon Dec 12 14:46:33 CET 2016


On Tue, Dec 06, 2016 at 05:17:01PM +0100, Michal Simek wrote:

> The patch is fixing:
> "tools: mkimage: Check if file is regular file"
> (sha1: 56c7e8015509312240b1ee15f2ff74510939a45d)
> which contains two issues reported by Coverity
> Unchecked return value from stat and incorrect calling sequence where
> attack can happen between calling stat and fopen.
> Using pair in opposite order (fopen and fstat) is fixing this issue
> because fstat is using the same file descriptor (FILE *).
> 
> Also fixing issue with:
> "tools: mkimage: Add support for initialization table for Zynq and
> ZynqMP" (sha1: 3b6460809c2a28360029c1c48247648fac4455c9)
> where file wasn't checked that it is regular file.
> 
> Reported-by: Coverity (CID: 154711, 154712)
> Signed-off-by: Michal Simek <michal.simek at xilinx.com>
> Reviewed-by: Tom Rini <trini at konsulko.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20161212/c3937f3e/attachment.sig>


More information about the U-Boot mailing list