[PATCH v1] bootm: bound-check OS index in bootm_os_get_boot_func()
Tom Rini
trini at konsulko.com
Fri Jun 12 03:59:13 CEST 2026
On Sun, 24 May 2026 15:13:16 +0000, Aristo Chen wrote:
> The boot_os[] table in bootm_os.c is a sparse array whose compile-time
> size is set by its largest designated initializer (IH_OS_ELF), giving
> it IH_OS_ELF + 1 entries. The accessor bootm_os_get_boot_func() returns
> boot_os[os] without any bound check, even though the caller in
> bootm_run_states() passes images->os.os straight through. That field is
> populated by image_get_os() from the raw 8-bit ih_os byte of a legacy
> uImage, and by fit_image_get_os() for a FIT, neither of which clamps
> the value against the table size.
>
> [...]
Applied to u-boot/next, thanks!
[1/1] bootm: bound-check OS index in bootm_os_get_boot_func()
commit: 103b1e7ce8cc0b559dfce4585e403f18685aeda8
--
Tom
More information about the U-Boot
mailing list