[PATCH v2] board: amlogic: fix buffler overflow in seria, mac & usid read
While meson_sm_read_efuse() doesn't overflow, the string is not zero terminated and env_set*() will buffer overflow and add random characters to environment.
Signed-off-by: Neil Armstrong neil.armstrong@linaro.org --- Changes in v2: - Also fix mac_addr - Link to v1: https://lore.kernel.org/r/20240319-u-boot-fix-p200-serial-v1-1-9a4e06815de0@... --- board/amlogic/beelink-s922x/beelink-s922x.c | 3 ++- board/amlogic/jethub-j100/jethub-j100.c | 3 ++- board/amlogic/jethub-j80/jethub-j80.c | 9 ++++++--- board/amlogic/odroid-n2/odroid-n2.c | 3 ++- board/amlogic/p200/p200.c | 6 ++++-- board/amlogic/p201/p201.c | 6 ++++-- board/amlogic/p212/p212.c | 6 ++++-- board/amlogic/q200/q200.c | 6 ++++-- board/amlogic/vim3/vim3.c | 3 ++- 9 files changed, 30 insertions(+), 15 deletions(-)
diff --git a/board/amlogic/beelink-s922x/beelink-s922x.c b/board/amlogic/beelink-s922x/beelink-s922x.c index adae27fc7e..c2776310a3 100644 --- a/board/amlogic/beelink-s922x/beelink-s922x.c +++ b/board/amlogic/beelink-s922x/beelink-s922x.c @@ -20,7 +20,7 @@
int misc_init_r(void) { - u8 mac_addr[MAC_ADDR_LEN]; + u8 mac_addr[MAC_ADDR_LEN + 1]; char efuse_mac_addr[EFUSE_MAC_SIZE], tmp[3]; ssize_t len;
@@ -41,6 +41,7 @@ int misc_init_r(void) tmp[2] = '\0'; mac_addr[i] = hextoul(tmp, NULL); } + mac_addr[MAC_ADDR_LEN] = '\0';
if (is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); diff --git a/board/amlogic/jethub-j100/jethub-j100.c b/board/amlogic/jethub-j100/jethub-j100.c index 6a2c4ad4c3..010fc0df7d 100644 --- a/board/amlogic/jethub-j100/jethub-j100.c +++ b/board/amlogic/jethub-j100/jethub-j100.c @@ -17,7 +17,7 @@
int misc_init_r(void) { - u8 mac_addr[ARP_HLEN]; + u8 mac_addr[ARP_HLEN + 1]; char serial[SM_SERIAL_SIZE]; u32 sid;
@@ -34,6 +34,7 @@ int misc_init_r(void) mac_addr[3] = (sid >> 16) & 0xff; mac_addr[4] = (sid >> 8) & 0xff; mac_addr[5] = (sid >> 0) & 0xff; + mac_addr[ARP_HLEN] = '\0';
eth_env_set_enetaddr("ethaddr", mac_addr); } diff --git a/board/amlogic/jethub-j80/jethub-j80.c b/board/amlogic/jethub-j80/jethub-j80.c index 185880de13..0b781666e9 100644 --- a/board/amlogic/jethub-j80/jethub-j80.c +++ b/board/amlogic/jethub-j80/jethub-j80.c @@ -27,9 +27,9 @@
int misc_init_r(void) { - u8 mac_addr[EFUSE_MAC_SIZE]; - char serial[EFUSE_SN_SIZE]; - char usid[EFUSE_USID_SIZE]; + u8 mac_addr[EFUSE_MAC_SIZE + 1]; + char serial[EFUSE_SN_SIZE + 1]; + char usid[EFUSE_USID_SIZE + 1]; ssize_t len; unsigned int adcval; int ret; @@ -37,6 +37,7 @@ int misc_init_r(void) if (!eth_env_get_enetaddr("ethaddr", mac_addr)) { len = meson_sm_read_efuse(EFUSE_MAC_OFFSET, mac_addr, EFUSE_MAC_SIZE); + mac_addr[len] = '\0'; if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); else @@ -46,6 +47,7 @@ int misc_init_r(void) if (!env_get("serial")) { len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial, EFUSE_SN_SIZE); + serial[len] = '\0'; if (len == EFUSE_SN_SIZE) env_set("serial", serial); } @@ -53,6 +55,7 @@ int misc_init_r(void) if (!env_get("usid")) { len = meson_sm_read_efuse(EFUSE_USID_OFFSET, usid, EFUSE_USID_SIZE); + usid[len] = '\0'; if (len == EFUSE_USID_SIZE) env_set("usid", usid); } diff --git a/board/amlogic/odroid-n2/odroid-n2.c b/board/amlogic/odroid-n2/odroid-n2.c index 2135457edd..a4bcc62174 100644 --- a/board/amlogic/odroid-n2/odroid-n2.c +++ b/board/amlogic/odroid-n2/odroid-n2.c @@ -107,7 +107,7 @@ static int odroid_detect_variant(void)
int misc_init_r(void) { - u8 mac_addr[MAC_ADDR_LEN]; + u8 mac_addr[MAC_ADDR_LEN + 1]; char efuse_mac_addr[EFUSE_MAC_SIZE], tmp[3]; ssize_t len;
@@ -128,6 +128,7 @@ int misc_init_r(void) tmp[2] = '\0'; mac_addr[i] = hextoul(tmp, NULL); } + mac_addr[MAC_ADDR_LEN] = '\0';
if (is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); diff --git a/board/amlogic/p200/p200.c b/board/amlogic/p200/p200.c index 7c432f9d28..769e2735d2 100644 --- a/board/amlogic/p200/p200.c +++ b/board/amlogic/p200/p200.c @@ -21,13 +21,14 @@
int misc_init_r(void) { - u8 mac_addr[EFUSE_MAC_SIZE]; - char serial[EFUSE_SN_SIZE]; + u8 mac_addr[EFUSE_MAC_SIZE + 1]; + char serial[EFUSE_SN_SIZE + 1]; ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) { len = meson_sm_read_efuse(EFUSE_MAC_OFFSET, mac_addr, EFUSE_MAC_SIZE); + mac_addr[len] = '\0'; if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); } @@ -35,6 +36,7 @@ int misc_init_r(void) if (!env_get("serial#")) { len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial, EFUSE_SN_SIZE); + serial[len] = '\0'; if (len == EFUSE_SN_SIZE) env_set("serial#", serial); } diff --git a/board/amlogic/p201/p201.c b/board/amlogic/p201/p201.c index 7c432f9d28..769e2735d2 100644 --- a/board/amlogic/p201/p201.c +++ b/board/amlogic/p201/p201.c @@ -21,13 +21,14 @@
int misc_init_r(void) { - u8 mac_addr[EFUSE_MAC_SIZE]; - char serial[EFUSE_SN_SIZE]; + u8 mac_addr[EFUSE_MAC_SIZE + 1]; + char serial[EFUSE_SN_SIZE + 1]; ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) { len = meson_sm_read_efuse(EFUSE_MAC_OFFSET, mac_addr, EFUSE_MAC_SIZE); + mac_addr[len] = '\0'; if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); } @@ -35,6 +36,7 @@ int misc_init_r(void) if (!env_get("serial#")) { len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial, EFUSE_SN_SIZE); + serial[len] = '\0'; if (len == EFUSE_SN_SIZE) env_set("serial#", serial); } diff --git a/board/amlogic/p212/p212.c b/board/amlogic/p212/p212.c index fcef90bce5..f6e60ae3af 100644 --- a/board/amlogic/p212/p212.c +++ b/board/amlogic/p212/p212.c @@ -22,13 +22,14 @@
int misc_init_r(void) { - u8 mac_addr[EFUSE_MAC_SIZE]; - char serial[EFUSE_SN_SIZE]; + u8 mac_addr[EFUSE_MAC_SIZE + 1]; + char serial[EFUSE_SN_SIZE + 1]; ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) { len = meson_sm_read_efuse(EFUSE_MAC_OFFSET, mac_addr, EFUSE_MAC_SIZE); + mac_addr[len] = '\0'; if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); else @@ -38,6 +39,7 @@ int misc_init_r(void) if (!env_get("serial#")) { len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial, EFUSE_SN_SIZE); + serial[len] = '\0'; if (len == EFUSE_SN_SIZE) env_set("serial#", serial); } diff --git a/board/amlogic/q200/q200.c b/board/amlogic/q200/q200.c index 3aa6d8f200..47f1566a9d 100644 --- a/board/amlogic/q200/q200.c +++ b/board/amlogic/q200/q200.c @@ -22,13 +22,14 @@
int misc_init_r(void) { - u8 mac_addr[EFUSE_MAC_SIZE]; - char serial[EFUSE_SN_SIZE]; + u8 mac_addr[EFUSE_MAC_SIZE + 1]; + char serial[EFUSE_SN_SIZE + 1]; ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) { len = meson_sm_read_efuse(EFUSE_MAC_OFFSET, mac_addr, EFUSE_MAC_SIZE); + mac_addr[len] = '\0'; if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); else @@ -38,6 +39,7 @@ int misc_init_r(void) if (!env_get("serial#")) { len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial, EFUSE_SN_SIZE); + serial[len] = '\0'; if (len == EFUSE_SN_SIZE) env_set("serial#", serial); } diff --git a/board/amlogic/vim3/vim3.c b/board/amlogic/vim3/vim3.c index 8bdfb302f7..43d7a8e84f 100644 --- a/board/amlogic/vim3/vim3.c +++ b/board/amlogic/vim3/vim3.c @@ -151,7 +151,7 @@ int meson_ft_board_setup(void *blob, struct bd_info *bd)
int misc_init_r(void) { - u8 mac_addr[MAC_ADDR_LEN]; + u8 mac_addr[MAC_ADDR_LEN + 1]; char efuse_mac_addr[EFUSE_MAC_SIZE], tmp[3]; char serial_string[EFUSE_MAC_SIZE + 1]; ssize_t len; @@ -169,6 +169,7 @@ int misc_init_r(void) tmp[2] = '\0'; mac_addr[i] = hextoul(tmp, NULL); } + mac_addr[MAC_ADDR_LEN] = '\0';
if (is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr);
--- base-commit: b145877c22b391a4872c875145a8f86f6ffebaba change-id: 20240319-u-boot-fix-p200-serial-a017f57caf88
Best regards,
Hi! Good catch.
for jethub devices:
Acked-by: Viacheslav Bocharov adeep@lexina.in
20/03/2024 11.46, Neil Armstrong wrote:
While meson_sm_read_efuse() doesn't overflow, the string is not zero terminated and env_set*() will buffer overflow and add random characters to environment.
Signed-off-by: Neil Armstrong neil.armstrong@linaro.org
Changes in v2:
- Also fix mac_addr
- Link to v1: https://lore.kernel.org/r/20240319-u-boot-fix-p200-serial-v1-1-9a4e06815de0@...
board/amlogic/beelink-s922x/beelink-s922x.c | 3 ++- board/amlogic/jethub-j100/jethub-j100.c | 3 ++- board/amlogic/jethub-j80/jethub-j80.c | 9 ++++++--- board/amlogic/odroid-n2/odroid-n2.c | 3 ++- board/amlogic/p200/p200.c | 6 ++++-- board/amlogic/p201/p201.c | 6 ++++-- board/amlogic/p212/p212.c | 6 ++++-- board/amlogic/q200/q200.c | 6 ++++-- board/amlogic/vim3/vim3.c | 3 ++- 9 files changed, 30 insertions(+), 15 deletions(-)
diff --git a/board/amlogic/beelink-s922x/beelink-s922x.c b/board/amlogic/beelink-s922x/beelink-s922x.c index adae27fc7e..c2776310a3 100644 --- a/board/amlogic/beelink-s922x/beelink-s922x.c +++ b/board/amlogic/beelink-s922x/beelink-s922x.c @@ -20,7 +20,7 @@
int misc_init_r(void) {
- u8 mac_addr[MAC_ADDR_LEN];
- u8 mac_addr[MAC_ADDR_LEN + 1]; char efuse_mac_addr[EFUSE_MAC_SIZE], tmp[3]; ssize_t len;
@@ -41,6 +41,7 @@ int misc_init_r(void) tmp[2] = '\0'; mac_addr[i] = hextoul(tmp, NULL); }
mac_addr[MAC_ADDR_LEN] = '\0';if (is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr);
diff --git a/board/amlogic/jethub-j100/jethub-j100.c b/board/amlogic/jethub-j100/jethub-j100.c index 6a2c4ad4c3..010fc0df7d 100644 --- a/board/amlogic/jethub-j100/jethub-j100.c +++ b/board/amlogic/jethub-j100/jethub-j100.c @@ -17,7 +17,7 @@
int misc_init_r(void) {
- u8 mac_addr[ARP_HLEN];
- u8 mac_addr[ARP_HLEN + 1]; char serial[SM_SERIAL_SIZE]; u32 sid;
@@ -34,6 +34,7 @@ int misc_init_r(void) mac_addr[3] = (sid >> 16) & 0xff; mac_addr[4] = (sid >> 8) & 0xff; mac_addr[5] = (sid >> 0) & 0xff;
mac_addr[ARP_HLEN] = '\0';eth_env_set_enetaddr("ethaddr", mac_addr); }
diff --git a/board/amlogic/jethub-j80/jethub-j80.c b/board/amlogic/jethub-j80/jethub-j80.c index 185880de13..0b781666e9 100644 --- a/board/amlogic/jethub-j80/jethub-j80.c +++ b/board/amlogic/jethub-j80/jethub-j80.c @@ -27,9 +27,9 @@
int misc_init_r(void) {
- u8 mac_addr[EFUSE_MAC_SIZE];
- char serial[EFUSE_SN_SIZE];
- char usid[EFUSE_USID_SIZE];
- u8 mac_addr[EFUSE_MAC_SIZE + 1];
- char serial[EFUSE_SN_SIZE + 1];
- char usid[EFUSE_USID_SIZE + 1]; ssize_t len; unsigned int adcval; int ret;
@@ -37,6 +37,7 @@ int misc_init_r(void) if (!eth_env_get_enetaddr("ethaddr", mac_addr)) { len = meson_sm_read_efuse(EFUSE_MAC_OFFSET, mac_addr, EFUSE_MAC_SIZE);
mac_addr[len] = '\0';@@ -46,6 +47,7 @@ int misc_init_r(void) if (!env_get("serial")) { len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial, EFUSE_SN_SIZE);
serial[len] = '\0';@@ -53,6 +55,7 @@ int misc_init_r(void) if (!env_get("usid")) { len = meson_sm_read_efuse(EFUSE_USID_OFFSET, usid, EFUSE_USID_SIZE);
usid[len] = '\0';diff --git a/board/amlogic/odroid-n2/odroid-n2.c b/board/amlogic/odroid-n2/odroid-n2.c index 2135457edd..a4bcc62174 100644 --- a/board/amlogic/odroid-n2/odroid-n2.c +++ b/board/amlogic/odroid-n2/odroid-n2.c @@ -107,7 +107,7 @@ static int odroid_detect_variant(void)
int misc_init_r(void) {
- u8 mac_addr[MAC_ADDR_LEN];
- u8 mac_addr[MAC_ADDR_LEN + 1]; char efuse_mac_addr[EFUSE_MAC_SIZE], tmp[3]; ssize_t len;
@@ -128,6 +128,7 @@ int misc_init_r(void) tmp[2] = '\0'; mac_addr[i] = hextoul(tmp, NULL); }
mac_addr[MAC_ADDR_LEN] = '\0';if (is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr);
diff --git a/board/amlogic/p200/p200.c b/board/amlogic/p200/p200.c index 7c432f9d28..769e2735d2 100644 --- a/board/amlogic/p200/p200.c +++ b/board/amlogic/p200/p200.c @@ -21,13 +21,14 @@
int misc_init_r(void) {
- u8 mac_addr[EFUSE_MAC_SIZE];
- char serial[EFUSE_SN_SIZE];
u8 mac_addr[EFUSE_MAC_SIZE + 1];
char serial[EFUSE_SN_SIZE + 1]; ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) { len = meson_sm_read_efuse(EFUSE_MAC_OFFSET, mac_addr, EFUSE_MAC_SIZE);
mac_addr[len] = '\0';if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); }
@@ -35,6 +36,7 @@ int misc_init_r(void) if (!env_get("serial#")) { len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial, EFUSE_SN_SIZE);
serial[len] = '\0';diff --git a/board/amlogic/p201/p201.c b/board/amlogic/p201/p201.c index 7c432f9d28..769e2735d2 100644 --- a/board/amlogic/p201/p201.c +++ b/board/amlogic/p201/p201.c @@ -21,13 +21,14 @@
int misc_init_r(void) {
- u8 mac_addr[EFUSE_MAC_SIZE];
- char serial[EFUSE_SN_SIZE];
u8 mac_addr[EFUSE_MAC_SIZE + 1];
char serial[EFUSE_SN_SIZE + 1]; ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) { len = meson_sm_read_efuse(EFUSE_MAC_OFFSET, mac_addr, EFUSE_MAC_SIZE);
mac_addr[len] = '\0';if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); }
@@ -35,6 +36,7 @@ int misc_init_r(void) if (!env_get("serial#")) { len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial, EFUSE_SN_SIZE);
serial[len] = '\0';diff --git a/board/amlogic/p212/p212.c b/board/amlogic/p212/p212.c index fcef90bce5..f6e60ae3af 100644 --- a/board/amlogic/p212/p212.c +++ b/board/amlogic/p212/p212.c @@ -22,13 +22,14 @@
int misc_init_r(void) {
- u8 mac_addr[EFUSE_MAC_SIZE];
- char serial[EFUSE_SN_SIZE];
u8 mac_addr[EFUSE_MAC_SIZE + 1];
char serial[EFUSE_SN_SIZE + 1]; ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) { len = meson_sm_read_efuse(EFUSE_MAC_OFFSET, mac_addr, EFUSE_MAC_SIZE);
mac_addr[len] = '\0';if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); else
@@ -38,6 +39,7 @@ int misc_init_r(void) if (!env_get("serial#")) { len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial, EFUSE_SN_SIZE);
serial[len] = '\0';diff --git a/board/amlogic/q200/q200.c b/board/amlogic/q200/q200.c index 3aa6d8f200..47f1566a9d 100644 --- a/board/amlogic/q200/q200.c +++ b/board/amlogic/q200/q200.c @@ -22,13 +22,14 @@
int misc_init_r(void) {
- u8 mac_addr[EFUSE_MAC_SIZE];
- char serial[EFUSE_SN_SIZE];
u8 mac_addr[EFUSE_MAC_SIZE + 1];
char serial[EFUSE_SN_SIZE + 1]; ssize_t len;
if (!eth_env_get_enetaddr("ethaddr", mac_addr)) { len = meson_sm_read_efuse(EFUSE_MAC_OFFSET, mac_addr, EFUSE_MAC_SIZE);
mac_addr[len] = '\0';if (len == EFUSE_MAC_SIZE && is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr); else
@@ -38,6 +39,7 @@ int misc_init_r(void) if (!env_get("serial#")) { len = meson_sm_read_efuse(EFUSE_SN_OFFSET, serial, EFUSE_SN_SIZE);
serial[len] = '\0';diff --git a/board/amlogic/vim3/vim3.c b/board/amlogic/vim3/vim3.c index 8bdfb302f7..43d7a8e84f 100644 --- a/board/amlogic/vim3/vim3.c +++ b/board/amlogic/vim3/vim3.c @@ -151,7 +151,7 @@ int meson_ft_board_setup(void *blob, struct bd_info *bd)
int misc_init_r(void) {
- u8 mac_addr[MAC_ADDR_LEN];
- u8 mac_addr[MAC_ADDR_LEN + 1]; char efuse_mac_addr[EFUSE_MAC_SIZE], tmp[3]; char serial_string[EFUSE_MAC_SIZE + 1]; ssize_t len;
@@ -169,6 +169,7 @@ int misc_init_r(void) tmp[2] = '\0'; mac_addr[i] = hextoul(tmp, NULL); }
mac_addr[MAC_ADDR_LEN] = '\0';if (is_valid_ethaddr(mac_addr)) eth_env_set_enetaddr("ethaddr", mac_addr);
base-commit: b145877c22b391a4872c875145a8f86f6ffebaba change-id: 20240319-u-boot-fix-p200-serial-a017f57caf88
Best regards,
Hi,
On Wed, 20 Mar 2024 09:46:11 +0100, Neil Armstrong wrote:
While meson_sm_read_efuse() doesn't overflow, the string is not zero terminated and env_set*() will buffer overflow and add random characters to environment.
Thanks, Applied to https://source.denx.de/u-boot/custodians/u-boot-amlogic (u-boot-amlogic)
[1/1] board: amlogic: fix buffler overflow in seria, mac & usid read https://source.denx.de/u-boot/custodians/u-boot-amlogic/-/commit/d54f87f09a3...
participants (2)
-
Neil Armstrong -
Viacheslav