[PATCH v1 1/2] bootm: fix overflow of the noload kernel decompression buffer
Tom Rini
trini at konsulko.com
Fri May 22 18:42:08 CEST 2026
On Wed, May 20, 2026 at 04:45:50AM +0000, Aristo Chen wrote:
> For a compressed kernel_noload image, bootm_load_os() allocates a
> decompression buffer sized to ALIGN(image_len * 4, SZ_1M), assuming the
> kernel compresses by no more than a factor of four. It then passes
> CONFIG_SYS_BOOTM_LEN, rather than the size of that buffer, to
> image_decomp() as the output limit. The decompressors honour the limit
> they are given, so a kernel that decompresses to more than four times
> its compressed size is written past the end of the allocated buffer and
> corrupts adjacent memory.
>
> Pass the allocation size to image_decomp() and handle_decomp_error() so
> decompression stops at the buffer boundary and fails cleanly when the
> image is too large, instead of overflowing. The regular non-noload
> paths are unchanged and continue to use CONFIG_SYS_BOOTM_LEN.
>
> Fixes: 69544c4fd8b1 ("bootm: Support kernel_noload with compression")
> Signed-off-by: Aristo Chen <aristo.chen at canonical.com>
Reviewed-by: Tom Rini <trini at konsulko.com>
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260522/f1f840d9/attachment.sig>
More information about the U-Boot
mailing list