Fwd: [BUG] bootm.c: Incorrect use of ft_len as end address in check_overlap()
Tom Rini
trini at konsulko.com
Mon Jun 23 18:53:09 CEST 2025
On Wed, Jun 18, 2025 at 02:38:36PM +0800, Osaka Osaka wrote:
> Hi U-Boot maintainers,
>
> I would like to report a potential issue in bootm.c regarding FDT/OS image
> overlap checking.
>
> In current mainline code:
>
> https://github.com/u-boot/u-boot/blob/master/boot/bootm.c#L448
>
> We have the following logic:
>
> if (check_overlap("FDT", map_to_sysmem(images->ft_addr),
> images->ft_len, start, size))
> return 1;
>
> However, `check_overlap()` expects the second and third parameters to be a
> memory **range**: [start, end). Here, `images->ft_len` is being passed
> directly as the `end` address, but in reality it is the **length**, not the
> end.
>
> This is misleading and could potentially cause overlap checks to pass
> incorrectly, especially if `map_to_sysmem(images->ft_addr)` is non-zero.
>
> To fix it, we should properly compute the end address:
>
> ```c
> ulong fdt_start = map_to_sysmem(images->ft_addr);
> ulong fdt_end = fdt_start + images->ft_len;
>
> if (check_overlap("FDT", fdt_start, fdt_end, start, start + size))
> return 1;
>
>
> if (check_overlap("FDT",
> map_to_sysmem(images->ft_addr),
> map_to_sysmem(images->ft_addr) + images->ft_len,
> start, start + size))
> return 1;
>
>
>
> Let me know if I should send a proper patch for this.
Thanks for the report, yes, please do.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250623/08eb81f7/attachment.sig>
More information about the U-Boot
mailing list