[PATCH v1 1/1] bootm: move OS index bound check into the legacy path
Simon Glass
sjg at chromium.org
Thu Jun 25 10:03:31 CEST 2026
On 2026-06-19T14:45:51, Aristo Chen <aristo.chen at canonical.com> wrote:
> bootm: move OS index bound check into the legacy path
>
> Commit 103b1e7ce8cc ("bootm: bound-check OS index in
> bootm_os_get_boot_func()") added a range check to the shared accessor so
> an out-of-range OS id can no longer drive an out-of-bounds read of
> boot_os[]. That accessor is reached by every image format, but only a
> legacy uImage can deliver an unchecked value. bootm_find_os() takes the
> raw 8-bit ih_os byte straight from image_get_os() for legacy images,
> whereas the FIT path reaches the accessor only after fit_image_load()
> has rejected any image whose os is not one of the supported types, and
> the Android path hardcodes IH_OS_LINUX. The check can therefore never
> fail for FIT, where it only adds confusion and code.
>
> Move the test to the legacy branch of bootm_find_os(), rejecting an
> out-of-range OS where the untrusted byte enters. This keeps the FIT path
> clear and lets the check be compiled out when CONFIG_LEGACY_IMAGE_FORMAT
> is disabled. A valid OS id that has no handler is still reported by the
> existing NULL return path in bootm_run_states().
>
> Suggested-by: Simon Glass <sjg at chromium.org>
> Signed-off-by: Aristo Chen <aristo.chen at canonical.com>
>
> boot/bootm.c | 4 ++++
> boot/bootm_os.c | 2 --
> 2 files changed, 4 insertions(+), 2 deletions(-)
Reviewed-by: Simon Glass <sjg at chromium.org>
More information about the U-Boot
mailing list