[PATCH] fastboot: Fix overflow when calculating chunk size

Tom Rini trini at konsulko.com
Wed May 26 23:25:58 CEST 2021 

On Fri, Apr 16, 2021 at 05:58:21PM -0400, Sean Anderson wrote:

> If a chunk was larger than 4GiB, then chunk_data_sz would overflow and
> blkcnt would not be calculated correctly. Upgrade it to a u64 and cast
> its multiplicands as well. Also fix bytes_written while we're at it.
> 
> Signed-off-by: Sean Anderson <sean.anderson at seco.com>
> Reviewed-by: Heiko Schocher <hs at denx.de>
> ---
> 
>  lib/image-sparse.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/lib/image-sparse.c b/lib/image-sparse.c
> index 187ac28cd3..52c8dcc08c 100644
> --- a/lib/image-sparse.c
> +++ b/lib/image-sparse.c
> @@ -55,10 +55,10 @@ int write_sparse_image(struct sparse_storage *info,
>  	lbaint_t blk;
>  	lbaint_t blkcnt;
>  	lbaint_t blks;
> -	uint32_t bytes_written = 0;
> +	uint64_t bytes_written = 0;
>  	unsigned int chunk;
>  	unsigned int offset;
> -	unsigned int chunk_data_sz;
> +	uint64_t chunk_data_sz;
>  	uint32_t *fill_buf = NULL;
>  	uint32_t fill_val;
>  	sparse_header_t *sparse_header;
> @@ -132,7 +132,7 @@ int write_sparse_image(struct sparse_storage *info,
>  				 sizeof(chunk_header_t));
>  		}
>  
> -		chunk_data_sz = sparse_header->blk_sz * chunk_header->chunk_sz;
> +		chunk_data_sz = ((u64)sparse_header->blk_sz) * chunk_header->chunk_sz;
>  		blkcnt = chunk_data_sz / info->blksz;
>  		switch (chunk_header->chunk_type) {
>  		case CHUNK_TYPE_RAW:
> @@ -162,7 +162,7 @@ int write_sparse_image(struct sparse_storage *info,
>  				return -1;
>  			}
>  			blk += blks;
> -			bytes_written += blkcnt * info->blksz;
> +			bytes_written += ((u64)blkcnt) * info->blksz;
>  			total_blocks += chunk_header->chunk_sz;
>  			data += chunk_data_sz;
>  			break;
> @@ -222,7 +222,7 @@ int write_sparse_image(struct sparse_storage *info,
>  				blk += blks;
>  				i += j;
>  			}
> -			bytes_written += blkcnt * info->blksz;
> +			bytes_written += ((u64)blkcnt) * info->blksz;
>  			total_blocks += chunk_data_sz / sparse_header->blk_sz;
>  			free(fill_buf);
>  			break;
> @@ -253,7 +253,7 @@ int write_sparse_image(struct sparse_storage *info,
>  
>  	debug("Wrote %d blocks, expected to write %d blocks\n",
>  	      total_blocks, sparse_header->total_blks);
> -	printf("........ wrote %u bytes to '%s'\n", bytes_written, part_name);
> +	printf("........ wrote %llu bytes to '%s'\n", bytes_written, part_name);
>  
>  	if (total_blocks != sparse_header->total_blks) {
>  		info->mssg("sparse image write failure", response);

This results in things like:
            pico-dwarf-imx7d: all +506 bss +48 rodata +2 text +456
               u-boot: add: 1/0, grow: 1/0 bytes: 452/0 (452)
                 function                                   old     new   delta
                 __aeabi_uldivmod                             -     392    +392
                 write_sparse_image                         712     772     +60

Which I believe means that some of the division above needs to be
converted to use do_div().  Since I can't easily confirm the changes,
can you please check in to it?  Thanks.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210526/4e49e370/attachment.sig>

More information about the U-Boot mailing list