[PATCH v1 0/2] bootm: bound noload kernel decompression to the allocated buffer

[Aristo Chen]

For a compressed kernel_noload image, bootm_load_os() allocates a
decompression buffer of ALIGN(image_len * 4, SZ_1M) and then passes
CONFIG_SYS_BOOTM_LEN (typically 128 MiB on arm64) to image_decomp() as
the output limit. The decompressors honour whatever limit they are
given, so a kernel that decompresses to more than four times its
compressed size runs past the end of the allocated buffer and silently
corrupts adjacent memory.

A 4x compression ratio is at the edge of what modern compressors
(zstd, xz) achieve on real kernels, and is trivially exceeded by
crafted, highly compressible payloads, so this is reachable both
accidentally and intentionally. The overflow can land on already-loaded
boot artefacts (FDT, ramdisk, loadables), U-Boot's own data, or
memory-mapped device registers; the existing post-decompression overlap
check in bootm_load_os() only catches overlap with the FIT itself.

Patch 1 plumbs the actual allocation size through to image_decomp() and
handle_decomp_error() via a single decomp_len variable, so
decompression stops at the buffer boundary and fails cleanly when the
image is too large. The non-noload code path is unchanged and
continues to use CONFIG_SYS_BOOTM_LEN.

Patch 2 adds a sandbox py-test that builds a FIT with a compressed
kernel_noload image whose decompressed size exceeds the per-image
buffer, and asserts that 'bootm loados' reports the failure instead of
overflowing.

Tested on sandbox: the new test passes; the existing
test_fit_compressed_images_load (which covers the load-address path)
and the other tests in test/py/tests/test_fit.py continue to pass.

Aristo Chen (2):
  bootm: fix overflow of the noload kernel decompression buffer
  test/py: test kernel_noload decompression buffer overflow

 boot/bootm.c              | 11 ++---
 test/py/tests/test_fit.py | 84 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+), 5 deletions(-)

-- 
2.43.0