[U-Boot] [U-Boot, v2, 10/10] gpt: harden set_gpt_info() against non NULL-terminated strings

Tom Rini trini at konsulko.com
Mon Aug 7 13:55:22 UTC 2017 

On Tue, Jul 04, 2017 at 11:19:46AM -0700, Alison Chaiken wrote:

> From: Alison Chaiken <alison at peloton-tech.com>
> 
> Strings read from devices may sometimes fail to be
> NULL-terminated.   The functions in lib/string.c are subject to
> failure in this case.   Protect against observed failures in
> set_gpt_info() by switching to length-checking variants with a length
> limit of the maximum possible partition table length.  At the same
> time, add a few checks for NULL string pointers.
> 
> Here is an example as observed in sandbox under GDB:
> 
>     => gpt verify host 0 $partitions
>     Program received signal SIGSEGV, Segmentation fault.
>     0x0000000000477747 in strlen (s=0x0) at lib/string.c:267
>     267             for (sc = s; *sc != '\0'; ++sc)
>     (gdb) bt
>     #0  0x0000000000477747 in strlen (s=0x0) at lib/string.c:267
>     #1  0x00000000004140b2 in set_gpt_info (str_part=<optimized out>,
>     str_disk_guid=str_disk_guid at entry=0x7fffffffdbe8, partitions=partitions at entry=0x7fffffffdbd8,
>     parts_count=parts_count at entry=0x7fffffffdbcf "", dev_desc=<optimized out>) at cmd/gpt.c:415
>     #2  0x00000000004145b9 in gpt_verify (str_part=<optimized out>, blk_dev_desc=0x7fffef09a9d0) at cmd/gpt.c:580
>     #3  do_gpt (cmdtp=<optimized out>, flag=<optimized out>, argc=<optimized out>, argv=0x7fffef09a8f0)
>     at cmd/gpt.c:783
>     #4  0x00000000004295b0 in cmd_call (argv=0x7fffef09a8f0, argc=0x5, flag=<optimized out>,
>     cmdtp=0x714e20 <_u_boot_list_2_cmd_2_gpt>) at common/command.c:500
>     #5  cmd_process (flag=<optimized out>, argc=0x5, argv=0x7fffef09a8f0,
>     repeatable=repeatable at entry=0x726c04 <flag_repeat>, ticks=ticks at entry=0x0) at common/command.c:539
> 
> Suggested-by: Lothar Waßmann <LW at karo-electronics.de>
> Signed-off-by: Alison Chaiken <alison at peloton-tech.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170807/b9d0644c/attachment.sig>

More information about the U-Boot mailing list