[PATCH v1 1/1] bootm: move OS index bound check into the legacy path

Fri Jun 19 16:45:51 CEST 2026

Commit 103b1e7ce8cc ("bootm: bound-check OS index in
bootm_os_get_boot_func()") added a range check to the shared accessor so
an out-of-range OS id can no longer drive an out-of-bounds read of
boot_os[]. That accessor is reached by every image format, but only a
legacy uImage can deliver an unchecked value. bootm_find_os() takes the
raw 8-bit ih_os byte straight from image_get_os() for legacy images,
whereas the FIT path reaches the accessor only after fit_image_load()
has rejected any image whose os is not one of the supported types, and
the Android path hardcodes IH_OS_LINUX. The check can therefore never
fail for FIT, where it only adds confusion and code.

Move the test to the legacy branch of bootm_find_os(), rejecting an
out-of-range OS where the untrusted byte enters. This keeps the FIT path
clear and lets the check be compiled out when CONFIG_LEGACY_IMAGE_FORMAT
is disabled. A valid OS id that has no handler is still reported by the
existing NULL return path in bootm_run_states().

Suggested-by: Simon Glass <sjg at chromium.org>
Signed-off-by: Aristo Chen <aristo.chen at canonical.com>
---
 boot/bootm.c    | 4 ++++
 boot/bootm_os.c | 2 --
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/boot/bootm.c b/boot/bootm.c
index 4c260a5f5ce..f9f0b2e918a 100644
--- a/boot/bootm.c
+++ b/boot/bootm.c
@@ -330,6 +330,10 @@ static int bootm_find_os(const char *cmd_name, const char *addr_fit)
 		images.os.type = image_get_type(os_hdr);
 		images.os.comp = image_get_comp(os_hdr);
 		images.os.os = image_get_os(os_hdr);
+		if (images.os.os >= IH_OS_COUNT) {
+			printf("Unsupported OS type %d\n", images.os.os);
+			return 1;
+		}
 
 		images.os.end = image_get_image_end(os_hdr);
 		images.os.load = image_get_load(os_hdr);
diff --git a/boot/bootm_os.c b/boot/bootm_os.c
index 69aa577a2fc..ae20b555f5c 100644
--- a/boot/bootm_os.c
+++ b/boot/bootm_os.c
@@ -599,7 +599,5 @@ int boot_selected_os(int state, struct bootm_info *bmi, boot_os_fn *boot_fn)
 
 boot_os_fn *bootm_os_get_boot_func(int os)
 {
-	if (os < 0 || os >= ARRAY_SIZE(boot_os))
-		return NULL;
 	return boot_os[os];
 }
-- 
2.43.0

