[PATCH v2 0/2] tools: mkimage: fix get_basename crash on paths with dotted directories

Aristo Chen aristo.chen at canonical.com
Tue May 26 09:03:31 CEST 2026 

The get_basename() helper in tools/fit_image.c searches the entire input
path independently for the last '/' and the last '.'. When the last '.'
falls at an offset earlier than the last '/', for example "./mydt",
"a.b/c" or "sub.d/leaf", 'end' points before 'start' and the computed
length is negative. The size check uses signed comparison so the negative
value flows unchanged into memcpy() (cast to size_t there) and mkimage
segfaults during -f auto FIT generation. The helper is reached on every
auto-FIT build via the -b, --fit-tee and --fit-tfa-bl31 file arguments.

The first patch restricts the dot search to the substring that follows
the last slash, which is the minimal fix and preserves the existing
behaviour for typical inputs such as "arch/arm/dts/foo.dtb".

The second patch adds a parametrized sandbox test under
test/py/tests/test_fit_mkimage_validate.py that drives mkimage -f auto
with each of the crashing inputs ("./mydt", "./sub.d/leaf", "./a.b/c")
plus one control input ("./mydt.dtb"). The test reads the resulting
/images/fdt-1 description back from the produced FIT via fdtget to verify
get_basename()'s output matches the expected stripped basename.

Reproducer that previously segfaulted and now produces a valid image:

  echo dummy > kernel.bin
  echo dummy > ./mydt
  ./tools/mkimage -f auto -A arm -O linux -T kernel -C none \
                  -a 0x80000000 -e 0x80000000 -n test \
                  -d kernel.bin -b ./mydt out.itb

Verified by rebuilding tools/mkimage on master and running the command
above with each of the four parametrized inputs. The three crash triggers
all segfault before the fix and now produce the expected fdt-1
descriptions ("mydt", "leaf", "c"); the control input "./mydt.dtb"
continues to produce "mydt" as before.

Changes in v2:

Patch 1/2 is unchanged code-wise and picks up Quentin Schulz's
Reviewed-by from the v1 thread. Marek Vasut asked on that thread whether
basename(3) could replace the helper; the in-thread response noted that
get_basename() also strips the extension and therefore only half of it
overlaps with basename(3), and that the GNU vs POSIX basename() selection
in tools/ is implicit (it relies on _GNU_SOURCE being defined globally
and on <libgen.h> not being included), so v2 keeps the hand-rolled
approach.

Patch 2/2 now reads the fdt sub-image description back from the produced
FIT via fdtget instead of regex-matching mkimage's console output, and
invokes ./tools/mkimage rather than building an absolute path now that
the test runs with cwd=build_dir.

v1: https://patchwork.ozlabs.org/project/uboot/patch/20260521023503.29315-1-aristo.chen@canonical.com/

Aristo Chen (2):
  tools: mkimage: fix get_basename crash on paths with dotted
    directories
  test/py: cover get_basename crash on paths with dotted directories

 test/py/tests/test_fit_mkimage_validate.py | 57 ++++++++++++++++++++++
 tools/fit_image.c                          | 10 +++-
 2 files changed, 65 insertions(+), 2 deletions(-)

-- 
2.43.0

More information about the U-Boot mailing list