[U-Boot] [PATCH] kwbimage: Fix out of bounds access
The kwbimage format is reading beyond its header structure if it misdetects a Xilinx Zynq image and tries to read it. Fix it by sanity checking that the header we want to read fits inside our file size.
Signed-off-by: Alexander Graf agraf@suse.de --- tools/kwbimage.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/tools/kwbimage.c b/tools/kwbimage.c index 3ca3b3b4a6..26686ad30f 100644 --- a/tools/kwbimage.c +++ b/tools/kwbimage.c @@ -1616,6 +1616,10 @@ static int kwbimage_verify_header(unsigned char *ptr, int image_size, struct image_tool_params *params) { uint8_t checksum; + size_t header_size = kwbimage_header_size(ptr); + + if (header_size > image_size) + return -FDT_ERR_BADSTRUCTURE;
if (!main_hdr_checksum_ok(ptr)) return -FDT_ERR_BADSTRUCTURE;
On 15.3.2018 11:14, Alexander Graf wrote:
The kwbimage format is reading beyond its header structure if it misdetects a Xilinx Zynq image and tries to read it. Fix it by sanity checking that the header we want to read fits inside our file size.
Signed-off-by: Alexander Graf agraf@suse.de
tools/kwbimage.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/tools/kwbimage.c b/tools/kwbimage.c index 3ca3b3b4a6..26686ad30f 100644 --- a/tools/kwbimage.c +++ b/tools/kwbimage.c @@ -1616,6 +1616,10 @@ static int kwbimage_verify_header(unsigned char *ptr, int image_size, struct image_tool_params *params) { uint8_t checksum;
size_t header_size = kwbimage_header_size(ptr);
if (header_size > image_size)
return -FDT_ERR_BADSTRUCTURE;if (!main_hdr_checksum_ok(ptr)) return -FDT_ERR_BADSTRUCTURE;
Tested-by: Michal Simek michal.simek@xilinx.com
Thanks, Michal
On 15.03.2018 11:14, Alexander Graf wrote:
The kwbimage format is reading beyond its header structure if it misdetects a Xilinx Zynq image and tries to read it. Fix it by sanity checking that the header we want to read fits inside our file size.
Signed-off-by: Alexander Graf agraf@suse.de
tools/kwbimage.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/tools/kwbimage.c b/tools/kwbimage.c index 3ca3b3b4a6..26686ad30f 100644 --- a/tools/kwbimage.c +++ b/tools/kwbimage.c @@ -1616,6 +1616,10 @@ static int kwbimage_verify_header(unsigned char *ptr, int image_size, struct image_tool_params *params) { uint8_t checksum;
size_t header_size = kwbimage_header_size(ptr);
if (header_size > image_size)
return -FDT_ERR_BADSTRUCTURE;if (!main_hdr_checksum_ok(ptr)) return -FDT_ERR_BADSTRUCTURE;
Reviewed-by: Stefan Roese sr@denx.de
Thanks, Stefan
On 15.03.2018 11:14, Alexander Graf wrote:
The kwbimage format is reading beyond its header structure if it misdetects a Xilinx Zynq image and tries to read it. Fix it by sanity checking that the header we want to read fits inside our file size.
Signed-off-by: Alexander Graf agraf@suse.de
tools/kwbimage.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/tools/kwbimage.c b/tools/kwbimage.c index 3ca3b3b4a6..26686ad30f 100644 --- a/tools/kwbimage.c +++ b/tools/kwbimage.c @@ -1616,6 +1616,10 @@ static int kwbimage_verify_header(unsigned char *ptr, int image_size, struct image_tool_params *params) { uint8_t checksum;
size_t header_size = kwbimage_header_size(ptr);
if (header_size > image_size)
return -FDT_ERR_BADSTRUCTURE;if (!main_hdr_checksum_ok(ptr)) return -FDT_ERR_BADSTRUCTURE;
Applied to u-boot-marvell/master.
Thanks, Stefan
participants (3)
-
Alexander Graf -
Michal Simek -
Stefan Roese