[U-Boot] [PATCH v2 10/10] gpt: harden set_gpt_info() against non NULL-terminated strings

alison at peloton-tech.com alison at peloton-tech.com
Tue Jul 4 18:19:46 UTC 2017


From: Alison Chaiken <alison at peloton-tech.com>

Strings read from devices may sometimes fail to be
NULL-terminated.   The functions in lib/string.c are subject to
failure in this case.   Protect against observed failures in
set_gpt_info() by switching to length-checking variants with a length
limit of the maximum possible partition table length.  At the same
time, add a few checks for NULL string pointers.

Here is an example as observed in sandbox under GDB:

    => gpt verify host 0 $partitions
    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000477747 in strlen (s=0x0) at lib/string.c:267
    267             for (sc = s; *sc != '\0'; ++sc)
    (gdb) bt
    #0  0x0000000000477747 in strlen (s=0x0) at lib/string.c:267
    #1  0x00000000004140b2 in set_gpt_info (str_part=<optimized out>,
    str_disk_guid=str_disk_guid at entry=0x7fffffffdbe8, partitions=partitions at entry=0x7fffffffdbd8,
    parts_count=parts_count at entry=0x7fffffffdbcf "", dev_desc=<optimized out>) at cmd/gpt.c:415
    #2  0x00000000004145b9 in gpt_verify (str_part=<optimized out>, blk_dev_desc=0x7fffef09a9d0) at cmd/gpt.c:580
    #3  do_gpt (cmdtp=<optimized out>, flag=<optimized out>, argc=<optimized out>, argv=0x7fffef09a8f0)
    at cmd/gpt.c:783
    #4  0x00000000004295b0 in cmd_call (argv=0x7fffef09a8f0, argc=0x5, flag=<optimized out>,
    cmdtp=0x714e20 <_u_boot_list_2_cmd_2_gpt>) at common/command.c:500
    #5  cmd_process (flag=<optimized out>, argc=0x5, argv=0x7fffef09a8f0,
    repeatable=repeatable at entry=0x726c04 <flag_repeat>, ticks=ticks at entry=0x0) at common/command.c:539

Suggested-by: Lothar Waßmann <LW at karo-electronics.de>
Signed-off-by: Alison Chaiken <alison at peloton-tech.com>
---

Changes since v1:
  -- Checkpatch cleanups.


 cmd/gpt.c | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/cmd/gpt.c b/cmd/gpt.c
index d703385a24..f8f35c23e0 100644
--- a/cmd/gpt.c
+++ b/cmd/gpt.c
@@ -233,7 +233,7 @@ static void print_gpt_info(void)
 	}
 }
 
-#ifdef CONFIG_CMD_GPT_RENAME
+
 static int calc_parts_list_len(int numparts)
 {
 	int partlistlen = UUID_STR_LEN + 1 + strlen("uuid_disk=");
@@ -253,6 +253,7 @@ static int calc_parts_list_len(int numparts)
 	return partlistlen;
 }
 
+#ifdef CONFIG_CMD_GPT_RENAME
 /*
  * create the string that upstream 'gpt write' command will accept as an
  * argument
@@ -385,6 +386,7 @@ static int set_gpt_info(struct blk_desc *dev_desc,
 	int errno = 0;
 	uint64_t size_ll, start_ll;
 	lbaint_t offset = 0;
+	int max_str_part = calc_parts_list_len(MAX_SEARCH_PARTITIONS);
 
 	debug("%s:  lba num: 0x%x %d\n", __func__,
 	      (unsigned int)dev_desc->lba, (unsigned int)dev_desc->lba);
@@ -402,6 +404,8 @@ static int set_gpt_info(struct blk_desc *dev_desc,
 	if (!val) {
 #ifdef CONFIG_RANDOM_UUID
 		*str_disk_guid = malloc(UUID_STR_LEN + 1);
+		if (str_disk_guid == NULL)
+			return -ENOMEM;
 		gen_rand_uuid_str(*str_disk_guid, UUID_STR_FORMAT_STD);
 #else
 		free(str);
@@ -416,10 +420,14 @@ static int set_gpt_info(struct blk_desc *dev_desc,
 		/* Move s to first partition */
 		strsep(&s, ";");
 	}
-	if (strlen(s) == 0)
+	if (s == NULL) {
+		printf("Error: is the partitions string NULL-terminated?\n");
+		return -EINVAL;
+	}
+	if (strnlen(s, max_str_part) == 0)
 		return -3;
 
-	i = strlen(s) - 1;
+	i = strnlen(s, max_str_part) - 1;
 	if (s[i] == ';')
 		s[i] = '\0';
 
@@ -433,6 +441,8 @@ static int set_gpt_info(struct blk_desc *dev_desc,
 
 	/* allocate memory for partitions */
 	parts = calloc(sizeof(disk_partition_t), p_count);
+	if (parts == NULL)
+		return -ENOMEM;
 
 	/* retrieve partitions data from string */
 	for (i = 0; i < p_count; i++) {
@@ -454,12 +464,12 @@ static int set_gpt_info(struct blk_desc *dev_desc,
 		} else {
 			if (extract_env(val, &p))
 				p = val;
-			if (strlen(p) >= sizeof(parts[i].uuid)) {
+			if (strnlen(p, max_str_part) >= sizeof(parts[i].uuid)) {
 				printf("Wrong uuid format for partition %d\n", i);
 				errno = -4;
 				goto err;
 			}
-			strcpy((char *)parts[i].uuid, p);
+			strncpy((char *)parts[i].uuid, p, max_str_part);
 			free(val);
 		}
 #ifdef CONFIG_PARTITION_TYPE_GUID
@@ -469,13 +479,13 @@ static int set_gpt_info(struct blk_desc *dev_desc,
 			/* 'type' is optional */
 			if (extract_env(val, &p))
 				p = val;
-			if (strlen(p) >= sizeof(parts[i].type_guid)) {
+			if (strnlen(p, max_str_part) >= sizeof(parts[i].type_guid)) {
 				printf("Wrong type guid format for partition %d\n",
 				       i);
 				errno = -4;
 				goto err;
 			}
-			strcpy((char *)parts[i].type_guid, p);
+			strncpy((char *)parts[i].type_guid, p, max_str_part);
 			free(val);
 		}
 #endif
@@ -487,11 +497,11 @@ static int set_gpt_info(struct blk_desc *dev_desc,
 		}
 		if (extract_env(val, &p))
 			p = val;
-		if (strlen(p) >= sizeof(parts[i].name)) {
+		if (strnlen(p, max_str_part) >= sizeof(parts[i].name)) {
 			errno = -4;
 			goto err;
 		}
-		strcpy((char *)parts[i].name, p);
+		strncpy((char *)parts[i].name, p, max_str_part);
 		free(val);
 
 		/* size */
-- 
2.13.2



More information about the U-Boot mailing list