[U-Boot] common: image-android-dt: Fix out-of-bounds access
Tom Rini
trini at konsulko.com
Fri Mar 22 23:18:38 UTC 2019
On Thu, Mar 14, 2019 at 06:31:39PM +0100, Eugeniu Rosca wrote:
> Currently, 'dtimg' allows users to check indexes equal to
> dt_entry_count [1]. Forbid that [2].
>
> [1] Behavior w/o the patch:
>
> => ext2load mmc 0:1 0x48000000 dtb.img
> 105695 bytes read in 5 ms (20.2 MiB/s)
>
> => dtimg dump 0x48000000
> dt_table_header:
> magic = d7b7ab1e
> total_size = 105695
> header_size = 32
> dt_entry_size = 32
> dt_entry_count = 2
> dt_entries_offset = 32
> page_size = 4096
> version = 0
> dt_table_entry[0]:
> dt_size = 105599
> dt_offset = 96
> id = 0b779520
> rev = 00000000
> custom[0] = 00000000
> custom[1] = 00000000
> custom[2] = 00000000
> custom[3] = 00000000
> (FDT)size = 105599
> (FDT)compatible = shimafuji,kingfisher
> dt_table_entry[1]:
> dt_size = 105599
> dt_offset = 96
> id = 0b779530
> rev = 00000000
> custom[0] = 00000000
> custom[1] = 00000000
> custom[2] = 00000000
> custom[3] = 00000000
> (FDT)size = 105599
> (FDT)compatible = shimafuji,kingfisher
>
> => dtimg size 0x48000000 0 z; print z
> z=19c7f
> => dtimg size 0x48000000 1 z; print z
> z=19c7f
> => dtimg size 0x48000000 2 z; print z
> z=d00dfeed
> => dtimg size 0x48000000 3 z
> Error: index > dt_entry_count (3 > 2)
>
> [2] Behavior with the patch:
>
> => dtimg size 0x48000000 0 z; print z
> z=19c7f
> => dtimg size 0x48000000 1 z; print z
> z=19c7f
> => dtimg size 0x48000000 2 z
> Error: index >= dt_entry_count (2 >= 2)
>
> Fixes: c04473345712 ("common: Add support for Android DT image")
> Signed-off-by: Eugeniu Rosca <erosca at de.adit-jv.com>
Applied to u-boot/master, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20190322/77987a09/attachment.sig>
More information about the U-Boot
mailing list