[PATCH] bootstd: android: Fix write outside of memory
Tom Rini
trini at konsulko.com
Tue Jan 6 18:16:33 CET 2026
On Tue, Dec 23, 2025 at 05:44:56PM -0600, Chris Morgan wrote:
> From: Chris Morgan <macromorgan at hotmail.com>
>
> It looks like under certain circumstances when reading the vendor_boot
> partition it causes my device to write outside the range of memory
> available. Near as I can tell this occurs because
> scan_vendor_boot_part() calls android_image_get_vendor_bootimg_size()
> which calls android_vendor_boot_image_v3_v4_parse_hdr() which calls
> add_trailer() which attempts to copy information to a buffer allocated
> with malloc in the scan_vendor_boot_part() function. On my board the
> memory set aside for malloc is at the top of the system RAM, and given
> a large enough vendor boot image size this causes the write from
> add_trailer() to occur outside of the system RAM (nevermind outside
> of what was allocated with the malloc().
>
> While I don't know the absolute best way to handle this, I would assume
> that if we simply map the memory we want to use to where we will
> eventually load the vendor_boot image that would be the most logical.
>
> Fixes: abadcda24b10 ("bootstd: android: don't read whole partition sizes")
> Signed-off-by: Chris Morgan <macromorgan at hotmail.com>
> ---
> boot/bootmeth_android.c | 20 ++++++--------------
> 1 file changed, 6 insertions(+), 14 deletions(-)
>
> diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
> index 1374551dbeb..c2c25d53ef3 100644
> --- a/boot/bootmeth_android.c
> +++ b/boot/bootmeth_android.c
> @@ -118,9 +118,10 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
> struct blk_desc *desc = dev_get_uclass_plat(blk);
> struct disk_partition partition;
> char partname[PART_NAME_LEN];
> - ulong num_blks, bufsz;
> + ulong num_blks;
> char *buf;
> int ret;
> + ulong vloadaddr = env_get_hex("vendor_boot_comp_addr_r", 0);
>
> if (priv->slot)
> sprintf(partname, VENDOR_BOOT_PART_NAME "_%s", priv->slot);
> @@ -132,28 +133,19 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
> return log_msg_ret("part info", ret);
>
> num_blks = DIV_ROUND_UP(sizeof(struct andr_vnd_boot_img_hdr), desc->blksz);
> - bufsz = num_blks * desc->blksz;
> - buf = malloc(bufsz);
> + buf = map_sysmem(vloadaddr, 0);
> if (!buf)
> return log_msg_ret("buf", -ENOMEM);
>
> ret = blk_read(blk, partition.start, num_blks, buf);
> - if (ret != num_blks) {
> - free(buf);
> + if (ret != num_blks)
> return log_msg_ret("part read", -EIO);
> - }
>
> - if (!is_android_vendor_boot_image_header(buf)) {
> - free(buf);
> + if (!is_android_vendor_boot_image_header(buf))
> return log_msg_ret("header", -ENOENT);
> - }
>
> - if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size)) {
> - free(buf);
> + if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size))
> return log_msg_ret("get vendor bootimg size", -EINVAL);
> - }
> -
> - free(buf);
>
> return 0;
> }
I haven't forgotten about this, but I'm hoping there's some other way to
solve this, I'm not super keen on adding another environment variable
(that would need to be documented in a v2 if we can't fix this some
other way). Mattijs, do you have any ideas?
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260106/eac36242/attachment-0001.sig>
More information about the U-Boot
mailing list