colin/u-boot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c49d0ac38a76c39f9556638bc9128b0969cb1536
u-boot/common
History
Eugeniu Rosca e63bf1b13b common: image-android-dt: Fix out-of-bounds access 
Currently, 'dtimg' allows users to check indexes equal to
dt_entry_count [1]. Forbid that [2].

[1] Behavior w/o the patch:

=> ext2load mmc 0:1 0x48000000 dtb.img
105695 bytes read in 5 ms (20.2 MiB/s)

=> dtimg dump 0x48000000
dt_table_header:
               magic = d7b7ab1e
          total_size = 105695
         header_size = 32
       dt_entry_size = 32
      dt_entry_count = 2
   dt_entries_offset = 32
           page_size = 4096
             version = 0
dt_table_entry[0]:
             dt_size = 105599
           dt_offset = 96
                  id = 0b779520
                 rev = 00000000
           custom[0] = 00000000
           custom[1] = 00000000
           custom[2] = 00000000
           custom[3] = 00000000
           (FDT)size = 105599
     (FDT)compatible = shimafuji,kingfisher
dt_table_entry[1]:
             dt_size = 105599
           dt_offset = 96
                  id = 0b779530
                 rev = 00000000
           custom[0] = 00000000
           custom[1] = 00000000
           custom[2] = 00000000
           custom[3] = 00000000
           (FDT)size = 105599
     (FDT)compatible = shimafuji,kingfisher

=> dtimg size 0x48000000 0 z; print z
z=19c7f
=> dtimg size 0x48000000 1 z; print z
z=19c7f
=> dtimg size 0x48000000 2 z; print z
z=d00dfeed
=> dtimg size 0x48000000 3 z
Error: index > dt_entry_count (3 > 2)

[2] Behavior with the patch:

=> dtimg size 0x48000000 0 z; print z
z=19c7f
=> dtimg size 0x48000000 1 z; print z
z=19c7f
=> dtimg size 0x48000000 2 z
Error: index >= dt_entry_count (2 >= 2)

Fixes: c044733457 ("common: Add support for Android DT image")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
2019-03-22 12:15:18 -04:00
..
eeprom
init
spl: Add support for passing handoff info to U-Boot proper
2018-11-26 08:25:37 -05:00
spl
common: spl_fit: Default to IH_OS_U_BOOT if FIT_IMAGE_TINY enabled
2019-03-22 12:15:05 -04:00
autoboot.c
avb_verify.c
avb_verify: support using OP-TEE TA AVB
2018-10-07 11:07:25 -04:00
bedbug.c
bloblist.c
Add core support for a bloblist to convey data from SPL
2018-11-26 08:25:32 -05:00
board_f.c
Merge branch 'master' of git://git.denx.de/u-boot-spi
2018-12-05 15:06:24 -05:00
board_info.c
board_r.c
initcall: Move to inline function
2019-02-09 07:50:58 -05:00
boot_fit.c
bootm_os.c
riscv: bootm: Support booting VxWorks
2018-12-31 08:08:51 -05:00
bootm.c
efi_loader: refactor switch to non-secure mode
2019-02-13 09:40:06 +01:00
bootretry.c
bootstage.c
bouncebuf.c
cli_hush.c
cli_readline.c
cli: handle getch error
2018-09-10 20:20:34 -04:00
cli_simple.c
cli.c
dfu: Remove dependency on HUSH parser in SPL
2019-01-26 08:13:55 -05:00
command.c
common: command: Add support for $ auto-completion
2019-01-15 15:38:28 -05:00
common_fit.c
common: Compile error with CONFIG_MULTI_DTB_FIT and not SPL
2018-11-09 10:44:50 -05:00
console.c
sandbox: Allow puts() output before global_data is set up
2018-11-26 08:25:36 -05:00
cros_ec.c
sandbox: cros_ec: exynos: Drop use of cros_ec_get_error()
2018-11-20 19:14:22 -07:00
ddr_spd.c
dfu.c
usb: gadget: Do not call board_usb_xxx() directly in USB gadget drivers
2018-12-07 16:31:45 +01:00
dlmalloc.c
dlmalloc.src
edid.c
exports.c
fdt_support.c
common: fdt_support: print hexadecimal numbers in debug
2019-01-14 17:47:13 -07:00
flash.c
hash.c
Roll CRC16-CCITT into the hash infrastructure
2018-12-08 20:18:44 -05:00
hwconfig.c
image-android-dt.c
common: image-android-dt: Fix out-of-bounds access
2019-03-22 12:15:18 -04:00
image-android.c
image-fdt.c
image: fdt: handle coalesced reserve region
2019-03-08 11:31:44 -05:00
image-fit.c
rsa: add a structure for the padding
2018-12-03 10:44:10 -05:00
image-sig.c
rsa: add support of padding pss
2018-12-03 10:44:10 -05:00
image.c
tools: add i.MX8M image support
2019-01-01 14:12:18 +01:00
iomux.c
iotrace.c
kallsyms.c
Kconfig
preboot: Introduce CONFIG_USE_PREBOOT and migrate CONFIG_PREBOOT
2019-02-22 19:49:41 -05:00
kgdb_stubs.c
kgdb.c
lcd_console_rotation.c
lcd_console.c
lcd_simplefb.c
lcd.c
video: use BMP_ALIGN_CENTER define from splash.h
2018-12-04 19:47:20 +01:00
log_console.c
log.c
log: Add a Kconfig option to set the default log level
2019-02-20 15:21:44 +08:00
lynxkdi.c
main.c
main: Drop more #ifdefs
2018-12-06 23:26:30 -05:00
Makefile
usb: Rename SPL_USB_SUPPORT to SPL_USB_STORAGE
2019-02-15 22:01:15 +01:00
malloc_simple.c
malloc_simple: Add logging of allocations
2018-11-29 09:30:05 -07:00
memsize.c
menu.c
miiphyutil.c
miiphy: Add function to retrieve MDIO bus list head
2018-10-24 14:45:36 -05:00
s_record.c
splash_source.c
splash.c
stdio.c
system_map.c
update.c
usb_hub.c
usb: s/CONFIG_DM_USB/CONFIG_IS_ENABLED(DM_USB)/
2018-11-26 21:19:03 +01:00
usb_kbd.c
usb: s/CONFIG_DM_USB/CONFIG_IS_ENABLED(DM_USB)/
2018-11-26 21:19:03 +01:00
usb_storage.c
usb: storage: s/CONFIG_BLK/CONFIG_IS_ENABLED(BLK)/
2018-11-26 21:19:04 +01:00
usb.c
usb: s/CONFIG_DM_USB/CONFIG_IS_ENABLED(DM_USB)/
2018-11-26 21:19:03 +01:00
xyzModem.c
xyz-modem: Fix timeout loop waiting with WATCHDOG
2019-01-15 15:28:51 -05:00