[PATCH v2] board: amlogic: fix buffler overflow in seria, mac & usid read
Viacheslav
adeep at lexina.in
Wed Mar 20 10:03:06 CET 2024
Hi!
Good catch.
for jethub devices:
Acked-by: Viacheslav Bocharov <adeep at lexina.in>
20/03/2024 11.46, Neil Armstrong wrote:
> While meson_sm_read_efuse() doesn't overflow, the string is not
> zero terminated and env_set*() will buffer overflow and add random
> characters to environment.
>
> Signed-off-by: Neil Armstrong <neil.armstrong at linaro.org>
> ---
> Changes in v2:
> - Also fix mac_addr
> - Link to v1: https://lore.kernel.org/r/20240319-u-boot-fix-p200-serial-v1-1-9a4e06815de0@linaro.org
> ---
> board/amlogic/beelink-s922x/beelink-s922x.c | 3 ++-
> board/amlogic/jethub-j100/jethub-j100.c | 3 ++-
> board/amlogic/jethub-j80/jethub-j80.c | 9 ++++++---
> board/amlogic/odroid-n2/odroid-n2.c | 3 ++-
> board/amlogic/p200/p200.c | 6 ++++--
> board/amlogic/p201/p201.c | 6 ++++--
> board/amlogic/p212/p212.c | 6 ++++--
> board/amlogic/q200/q200.c | 6 ++++--
> board/amlogic/vim3/vim3.c | 3 ++-
> 9 files changed, 30 insertions(+), 15 deletions(-)
>
> diff --git a/board/amlogic/beelink-s922x/beelink-s922x.c b/board/amlogic/beelink-s922x/beelink-s922x.c
> index adae27fc7e..c2776310a3 100644
> --- a/board/amlogic/beelink-s922x/beelink-s922x.c
> +++ b/board/amlogic/beelink-s922x/beelink-s922x.c
> @@ -20,7 +20,7 @@
>
> int misc_init_r(void)
> {
> - u8 mac_addr[MAC_ADDR_LEN];
> + u8 mac_addr[MAC_ADDR_LEN + 1];
> char efuse_mac_addr[EFUSE_MAC_SIZE], tmp[3];
> ssize_t len;
>
> @@ -41,6 +41,7 @@ int misc_init_r(void)
> tmp[2] = '\0';
> mac_addr[i] = hextoul(tmp, NULL);
> }
> + mac_addr[MAC_ADDR_LEN] = '\0';
>
> if (is_valid_ethaddr(mac_addr))
> eth_env_set_enetaddr("ethaddr", mac_addr);
> diff --git a/board/amlogic/jethub-j100/jethub-j100.c b/board/amlogic/jethub-j100/jethub-j100.c
> index 6a2c4ad4c3..010fc0df7d 100644
> --- a/board/amlogic/jethub-j100/jethub-j100.c
> +++ b/board/amlogic/jethub-j100/jethub-j100.c
> @@ -17,7 +17,7 @@
>
> int misc_init_r(void)
> {
> - u8 mac_addr[ARP_HLEN];
> + u8 mac_addr[ARP_HLEN + 1];
> char serial[SM_SERIAL_SIZE];
> u32 sid;
>
> @@ -34,6 +34,7 @@ int misc_init_r(void)
> mac_addr[3] = (sid >> 16) & 0xff;
> mac_addr[4] = (sid >> 8) & 0xff;
> mac_addr[5] = (sid >> 0) & 0xff;
> + mac_addr[ARP_HLEN] = '\0';
>
> eth_env_set_enetaddr("ethaddr", mac_addr);
> }
> diff --git a/board/amlogic/jethub-j80/jethub-j80.c b/board/amlogic/jethub-j80/jethub-j80.c
> index 185880de13..0b781666e9 100644
> --- a/board/amlogic/jethub-j80/jethub-j80.c
> +++ b/board/amlogic/jethub-j80/jethub-j80.c
> @@ -27,9 +27,9 @@
>
> int misc_init_r(void)
> {
> - u8 mac_addr[EFUSE_MAC_SIZE];
> - char serial[EFUSE_SN_SIZE];
> - char usid[EFUSE_USID_SIZE];
> + u8 mac_addr[EFUSE_MAC_SIZE + 1];
> + char serial[EFUSE_SN_SIZE + 1];
> + char usid[EFUSE_USID_SIZE + 1];
> ssize_t len;
> unsigned int adcval;
> int ret;
> @@ -37,6 +37,7 @@ int misc_init_r(void)
> if (!eth_env_get_enetaddr("ethaddr", mac_addr)) {
> len = meson_sm_read_efuse(EFUSE_MAC_OFFSET,
> mac_addr, EFUSE_MAC_SIZE);
> + mac_addr[len] = '\0';
> if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr))
> eth_env_set_enetaddr("ethaddr", mac_addr);
> else
> @@ -46,6 +47,7 @@ int misc_init_r(void)
> if (!env_get("serial")) {
> len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial,
> EFUSE_SN_SIZE);
> + serial[len] = '\0';
> if (len == EFUSE_SN_SIZE)
> env_set("serial", serial);
> }
> @@ -53,6 +55,7 @@ int misc_init_r(void)
> if (!env_get("usid")) {
> len = meson_sm_read_efuse(EFUSE_USID_OFFSET, usid,
> EFUSE_USID_SIZE);
> + usid[len] = '\0';
> if (len == EFUSE_USID_SIZE)
> env_set("usid", usid);
> }
> diff --git a/board/amlogic/odroid-n2/odroid-n2.c b/board/amlogic/odroid-n2/odroid-n2.c
> index 2135457edd..a4bcc62174 100644
> --- a/board/amlogic/odroid-n2/odroid-n2.c
> +++ b/board/amlogic/odroid-n2/odroid-n2.c
> @@ -107,7 +107,7 @@ static int odroid_detect_variant(void)
>
> int misc_init_r(void)
> {
> - u8 mac_addr[MAC_ADDR_LEN];
> + u8 mac_addr[MAC_ADDR_LEN + 1];
> char efuse_mac_addr[EFUSE_MAC_SIZE], tmp[3];
> ssize_t len;
>
> @@ -128,6 +128,7 @@ int misc_init_r(void)
> tmp[2] = '\0';
> mac_addr[i] = hextoul(tmp, NULL);
> }
> + mac_addr[MAC_ADDR_LEN] = '\0';
>
> if (is_valid_ethaddr(mac_addr))
> eth_env_set_enetaddr("ethaddr", mac_addr);
> diff --git a/board/amlogic/p200/p200.c b/board/amlogic/p200/p200.c
> index 7c432f9d28..769e2735d2 100644
> --- a/board/amlogic/p200/p200.c
> +++ b/board/amlogic/p200/p200.c
> @@ -21,13 +21,14 @@
>
> int misc_init_r(void)
> {
> - u8 mac_addr[EFUSE_MAC_SIZE];
> - char serial[EFUSE_SN_SIZE];
> + u8 mac_addr[EFUSE_MAC_SIZE + 1];
> + char serial[EFUSE_SN_SIZE + 1];
> ssize_t len;
>
> if (!eth_env_get_enetaddr("ethaddr", mac_addr)) {
> len = meson_sm_read_efuse(EFUSE_MAC_OFFSET,
> mac_addr, EFUSE_MAC_SIZE);
> + mac_addr[len] = '\0';
> if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr))
> eth_env_set_enetaddr("ethaddr", mac_addr);
> }
> @@ -35,6 +36,7 @@ int misc_init_r(void)
> if (!env_get("serial#")) {
> len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial,
> EFUSE_SN_SIZE);
> + serial[len] = '\0';
> if (len == EFUSE_SN_SIZE)
> env_set("serial#", serial);
> }
> diff --git a/board/amlogic/p201/p201.c b/board/amlogic/p201/p201.c
> index 7c432f9d28..769e2735d2 100644
> --- a/board/amlogic/p201/p201.c
> +++ b/board/amlogic/p201/p201.c
> @@ -21,13 +21,14 @@
>
> int misc_init_r(void)
> {
> - u8 mac_addr[EFUSE_MAC_SIZE];
> - char serial[EFUSE_SN_SIZE];
> + u8 mac_addr[EFUSE_MAC_SIZE + 1];
> + char serial[EFUSE_SN_SIZE + 1];
> ssize_t len;
>
> if (!eth_env_get_enetaddr("ethaddr", mac_addr)) {
> len = meson_sm_read_efuse(EFUSE_MAC_OFFSET,
> mac_addr, EFUSE_MAC_SIZE);
> + mac_addr[len] = '\0';
> if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr))
> eth_env_set_enetaddr("ethaddr", mac_addr);
> }
> @@ -35,6 +36,7 @@ int misc_init_r(void)
> if (!env_get("serial#")) {
> len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial,
> EFUSE_SN_SIZE);
> + serial[len] = '\0';
> if (len == EFUSE_SN_SIZE)
> env_set("serial#", serial);
> }
> diff --git a/board/amlogic/p212/p212.c b/board/amlogic/p212/p212.c
> index fcef90bce5..f6e60ae3af 100644
> --- a/board/amlogic/p212/p212.c
> +++ b/board/amlogic/p212/p212.c
> @@ -22,13 +22,14 @@
>
> int misc_init_r(void)
> {
> - u8 mac_addr[EFUSE_MAC_SIZE];
> - char serial[EFUSE_SN_SIZE];
> + u8 mac_addr[EFUSE_MAC_SIZE + 1];
> + char serial[EFUSE_SN_SIZE + 1];
> ssize_t len;
>
> if (!eth_env_get_enetaddr("ethaddr", mac_addr)) {
> len = meson_sm_read_efuse(EFUSE_MAC_OFFSET,
> mac_addr, EFUSE_MAC_SIZE);
> + mac_addr[len] = '\0';
> if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr))
> eth_env_set_enetaddr("ethaddr", mac_addr);
> else
> @@ -38,6 +39,7 @@ int misc_init_r(void)
> if (!env_get("serial#")) {
> len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial,
> EFUSE_SN_SIZE);
> + serial[len] = '\0';
> if (len == EFUSE_SN_SIZE)
> env_set("serial#", serial);
> }
> diff --git a/board/amlogic/q200/q200.c b/board/amlogic/q200/q200.c
> index 3aa6d8f200..47f1566a9d 100644
> --- a/board/amlogic/q200/q200.c
> +++ b/board/amlogic/q200/q200.c
> @@ -22,13 +22,14 @@
>
> int misc_init_r(void)
> {
> - u8 mac_addr[EFUSE_MAC_SIZE];
> - char serial[EFUSE_SN_SIZE];
> + u8 mac_addr[EFUSE_MAC_SIZE + 1];
> + char serial[EFUSE_SN_SIZE + 1];
> ssize_t len;
>
> if (!eth_env_get_enetaddr("ethaddr", mac_addr)) {
> len = meson_sm_read_efuse(EFUSE_MAC_OFFSET,
> mac_addr, EFUSE_MAC_SIZE);
> + mac_addr[len] = '\0';
> if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr))
> eth_env_set_enetaddr("ethaddr", mac_addr);
> else
> @@ -38,6 +39,7 @@ int misc_init_r(void)
> if (!env_get("serial#")) {
> len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial,
> EFUSE_SN_SIZE);
> + serial[len] = '\0';
> if (len == EFUSE_SN_SIZE)
> env_set("serial#", serial);
> }
> diff --git a/board/amlogic/vim3/vim3.c b/board/amlogic/vim3/vim3.c
> index 8bdfb302f7..43d7a8e84f 100644
> --- a/board/amlogic/vim3/vim3.c
> +++ b/board/amlogic/vim3/vim3.c
> @@ -151,7 +151,7 @@ int meson_ft_board_setup(void *blob, struct bd_info *bd)
>
> int misc_init_r(void)
> {
> - u8 mac_addr[MAC_ADDR_LEN];
> + u8 mac_addr[MAC_ADDR_LEN + 1];
> char efuse_mac_addr[EFUSE_MAC_SIZE], tmp[3];
> char serial_string[EFUSE_MAC_SIZE + 1];
> ssize_t len;
> @@ -169,6 +169,7 @@ int misc_init_r(void)
> tmp[2] = '\0';
> mac_addr[i] = hextoul(tmp, NULL);
> }
> + mac_addr[MAC_ADDR_LEN] = '\0';
>
> if (is_valid_ethaddr(mac_addr))
> eth_env_set_enetaddr("ethaddr", mac_addr);
>
> ---
> base-commit: b145877c22b391a4872c875145a8f86f6ffebaba
> change-id: 20240319-u-boot-fix-p200-serial-a017f57caf88
>
> Best regards,
More information about the U-Boot
mailing list