[PATCH] board: amlogic: fix buffler overflow in serial & usid read
Neil Armstrong
neil.armstrong at linaro.org
Tue Mar 19 15:53:24 CET 2024
While meson_sm_read_efuse() doesn't overflow, the string is not
zero terminated and env_set() will buffer overflow and add random
characters to environment.
Signed-off-by: Neil Armstrong <neil.armstrong at linaro.org>
---
board/amlogic/jethub-j80/jethub-j80.c | 6 ++++--
board/amlogic/p200/p200.c | 3 ++-
board/amlogic/p201/p201.c | 3 ++-
board/amlogic/p212/p212.c | 3 ++-
board/amlogic/q200/q200.c | 3 ++-
5 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/board/amlogic/jethub-j80/jethub-j80.c b/board/amlogic/jethub-j80/jethub-j80.c
index 185880de13..d10492cc46 100644
--- a/board/amlogic/jethub-j80/jethub-j80.c
+++ b/board/amlogic/jethub-j80/jethub-j80.c
@@ -28,8 +28,8 @@
int misc_init_r(void)
{
u8 mac_addr[EFUSE_MAC_SIZE];
- char serial[EFUSE_SN_SIZE];
- char usid[EFUSE_USID_SIZE];
+ char serial[EFUSE_SN_SIZE + 1];
+ char usid[EFUSE_USID_SIZE + 1];
ssize_t len;
unsigned int adcval;
int ret;
@@ -46,6 +46,7 @@ int misc_init_r(void)
if (!env_get("serial")) {
len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial,
EFUSE_SN_SIZE);
+ serial[len] = '\0';
if (len == EFUSE_SN_SIZE)
env_set("serial", serial);
}
@@ -53,6 +54,7 @@ int misc_init_r(void)
if (!env_get("usid")) {
len = meson_sm_read_efuse(EFUSE_USID_OFFSET, usid,
EFUSE_USID_SIZE);
+ usid[len] = '\0';
if (len == EFUSE_USID_SIZE)
env_set("usid", usid);
}
diff --git a/board/amlogic/p200/p200.c b/board/amlogic/p200/p200.c
index 7c432f9d28..37a54e715c 100644
--- a/board/amlogic/p200/p200.c
+++ b/board/amlogic/p200/p200.c
@@ -22,7 +22,7 @@
int misc_init_r(void)
{
u8 mac_addr[EFUSE_MAC_SIZE];
- char serial[EFUSE_SN_SIZE];
+ char serial[EFUSE_SN_SIZE + 1];
ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) {
@@ -35,6 +35,7 @@ int misc_init_r(void)
if (!env_get("serial#")) {
len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial,
EFUSE_SN_SIZE);
+ serial[len] = '\0';
if (len == EFUSE_SN_SIZE)
env_set("serial#", serial);
}
diff --git a/board/amlogic/p201/p201.c b/board/amlogic/p201/p201.c
index 7c432f9d28..37a54e715c 100644
--- a/board/amlogic/p201/p201.c
+++ b/board/amlogic/p201/p201.c
@@ -22,7 +22,7 @@
int misc_init_r(void)
{
u8 mac_addr[EFUSE_MAC_SIZE];
- char serial[EFUSE_SN_SIZE];
+ char serial[EFUSE_SN_SIZE + 1];
ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) {
@@ -35,6 +35,7 @@ int misc_init_r(void)
if (!env_get("serial#")) {
len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial,
EFUSE_SN_SIZE);
+ serial[len] = '\0';
if (len == EFUSE_SN_SIZE)
env_set("serial#", serial);
}
diff --git a/board/amlogic/p212/p212.c b/board/amlogic/p212/p212.c
index fcef90bce5..90ac9f885d 100644
--- a/board/amlogic/p212/p212.c
+++ b/board/amlogic/p212/p212.c
@@ -23,7 +23,7 @@
int misc_init_r(void)
{
u8 mac_addr[EFUSE_MAC_SIZE];
- char serial[EFUSE_SN_SIZE];
+ char serial[EFUSE_SN_SIZE + 1];
ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) {
@@ -38,6 +38,7 @@ int misc_init_r(void)
if (!env_get("serial#")) {
len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial,
EFUSE_SN_SIZE);
+ serial[len] = '\0';
if (len == EFUSE_SN_SIZE)
env_set("serial#", serial);
}
diff --git a/board/amlogic/q200/q200.c b/board/amlogic/q200/q200.c
index 3aa6d8f200..1c47f4645f 100644
--- a/board/amlogic/q200/q200.c
+++ b/board/amlogic/q200/q200.c
@@ -23,7 +23,7 @@
int misc_init_r(void)
{
u8 mac_addr[EFUSE_MAC_SIZE];
- char serial[EFUSE_SN_SIZE];
+ char serial[EFUSE_SN_SIZE + 1];
ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) {
@@ -38,6 +38,7 @@ int misc_init_r(void)
if (!env_get("serial#")) {
len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial,
EFUSE_SN_SIZE);
+ serial[len] = '\0';
if (len == EFUSE_SN_SIZE)
env_set("serial#", serial);
}
---
base-commit: b145877c22b391a4872c875145a8f86f6ffebaba
change-id: 20240319-u-boot-fix-p200-serial-a017f57caf88
Best regards,
--
Neil Armstrong <neil.armstrong at linaro.org>
More information about the U-Boot
mailing list