[PATCH 4/6] spl: spl_legacy: Add extra address checks

Mon Jun 26 10:52:56 CEST 2023

Check whether the loaded image or entry point does not overlap SPL.

Signed-off-by: Marek Vasut <marex at denx.de>
---
Cc: "NXP i.MX U-Boot Team" <uboot-imx at nxp.com>
Cc: Fabio Estevam <festevam at denx.de>
Cc: Heiko Schocher <hs at denx.de>
Cc: Heinrich Schuchardt <xypron.glpk at gmx.de>
Cc: Rasmus Villemoes <rasmus.villemoes at prevas.dk>
Cc: Simon Glass <sjg at chromium.org>
Cc: Stefano Babic <sbabic at denx.de>
Cc: Tom Rini <trini at konsulko.com>
Cc: Ye Li <ye.li at nxp.com>
---
V2: - Use _start instead of __image_copy_start and __bss_end for end
    - Define SYS_BOOTM_LEN for LEGACY_IMAGE_FORMAT || SPL_LEGACY_IMAGE_FORMAT
---
 cmd/Kconfig             |  3 ++-
 common/spl/spl_legacy.c | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/cmd/Kconfig b/cmd/Kconfig
index 365371fb511..02e54f1e50f 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -362,7 +362,8 @@ config BOOTM_VXWORKS
 
 config SYS_BOOTM_LEN
 	hex "Maximum size of a decompresed OS image"
-	depends on CMD_BOOTM || CMD_BOOTI || CMD_BOOTZ
+	depends on CMD_BOOTM || CMD_BOOTI || CMD_BOOTZ || \
+		   LEGACY_IMAGE_FORMAT || SPL_LEGACY_IMAGE_FORMAT
 	default 0x4000000 if PPC || ARM64
 	default 0x1000000 if X86 || ARCH_MX6 || ARCH_MX7
 	default 0x800000
diff --git a/common/spl/spl_legacy.c b/common/spl/spl_legacy.c
index 16851c55eb5..d34bc5492e8 100644
--- a/common/spl/spl_legacy.c
+++ b/common/spl/spl_legacy.c
@@ -7,6 +7,7 @@
 #include <image.h>
 #include <log.h>
 #include <malloc.h>
+#include <asm/sections.h>
 #include <spl.h>
 
 #include <lzma/LzmaTypes.h>
@@ -15,6 +16,22 @@
 
 #define LZMA_LEN	(1 << 20)
 
+static void spl_parse_legacy_validate(uintptr_t start, uintptr_t size)
+{
+	uintptr_t spl_start = (uintptr_t)_start;
+	uintptr_t spl_end = (uintptr_t)__bss_end;
+	uintptr_t end = start + size;
+
+	if ((start >= spl_start && start < spl_end) ||
+	    (end > spl_start && end <= spl_end) ||
+	    (start < spl_start && end >= spl_end) ||
+	    (start > end && end > spl_start))
+		panic("SPL: Image overlaps SPL\n");
+
+	if (size > CONFIG_SYS_BOOTM_LEN)
+		panic("SPL: Image too large\n");
+}
+
 int spl_parse_legacy_header(struct spl_image_info *spl_image,
 			    const struct legacy_img_hdr *header)
 {
@@ -58,6 +75,9 @@ int spl_parse_legacy_header(struct spl_image_info *spl_image,
 	      "payload image: %32s load addr: 0x%lx size: %d\n",
 	      spl_image->name, spl_image->load_addr, spl_image->size);
 
+	spl_parse_legacy_validate(spl_image->load_addr, spl_image->size);
+	spl_parse_legacy_validate(spl_image->entry_point, 0);
+
 	return 0;
 }
 
-- 
2.40.1

