[U-Boot] [PATCH] common: image-android-dt: Fix out-of-bounds access

Eugeniu Rosca erosca at de.adit-jv.com
Thu Mar 14 17:31:39 UTC 2019 

Currently, 'dtimg' allows users to check indexes equal to
dt_entry_count [1]. Forbid that [2].

[1] Behavior w/o the patch:

=> ext2load mmc 0:1 0x48000000 dtb.img
105695 bytes read in 5 ms (20.2 MiB/s)

=> dtimg dump 0x48000000
dt_table_header:
               magic = d7b7ab1e
          total_size = 105695
         header_size = 32
       dt_entry_size = 32
      dt_entry_count = 2
   dt_entries_offset = 32
           page_size = 4096
             version = 0
dt_table_entry[0]:
             dt_size = 105599
           dt_offset = 96
                  id = 0b779520
                 rev = 00000000
           custom[0] = 00000000
           custom[1] = 00000000
           custom[2] = 00000000
           custom[3] = 00000000
           (FDT)size = 105599
     (FDT)compatible = shimafuji,kingfisher
dt_table_entry[1]:
             dt_size = 105599
           dt_offset = 96
                  id = 0b779530
                 rev = 00000000
           custom[0] = 00000000
           custom[1] = 00000000
           custom[2] = 00000000
           custom[3] = 00000000
           (FDT)size = 105599
     (FDT)compatible = shimafuji,kingfisher

=> dtimg size 0x48000000 0 z; print z
z=19c7f
=> dtimg size 0x48000000 1 z; print z
z=19c7f
=> dtimg size 0x48000000 2 z; print z
z=d00dfeed
=> dtimg size 0x48000000 3 z
Error: index > dt_entry_count (3 > 2)

[2] Behavior with the patch:

=> dtimg size 0x48000000 0 z; print z
z=19c7f
=> dtimg size 0x48000000 1 z; print z
z=19c7f
=> dtimg size 0x48000000 2 z
Error: index >= dt_entry_count (2 >= 2)

Fixes: c04473345712 ("common: Add support for Android DT image")
Signed-off-by: Eugeniu Rosca <erosca at de.adit-jv.com>
---
 common/image-android-dt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/image-android-dt.c b/common/image-android-dt.c
index c0683ee70f36..691682617932 100644
--- a/common/image-android-dt.c
+++ b/common/image-android-dt.c
@@ -53,8 +53,8 @@ bool android_dt_get_fdt_by_index(ulong hdr_addr, u32 index, ulong *addr,
 	entry_size = fdt32_to_cpu(hdr->dt_entry_size);
 	unmap_sysmem(hdr);
 
-	if (index > entry_count) {
-		printf("Error: index > dt_entry_count (%u > %u)\n", index,
+	if (index >= entry_count) {
+		printf("Error: index >= dt_entry_count (%u >= %u)\n", index,
 		       entry_count);
 		return false;
 	}
-- 
2.21.0

More information about the U-Boot mailing list