host: flashrom_drv: Read fmap layout from flash only

flashrom_read_region was attempting to read the fmap from the provided
destination buffer before falling back to the rom with a warning. Then
it would leak the buffer anyway using calloc. This was undocumented
behaviour.

There is only one callsite of this function (futility
manifest_detect_model_from_frid) and it does not use this feature: it
initialises a zeroed firmware_image.

BUG=b:265861606
BRANCH=None
TEST=futility update -a /usr/sbin/chromeos-firmwareupdate --detect-model-only # grunt

Change-Id: I90b4be9b1b22b19c84252425e770e30e4def3a7c
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4170145
Tested-by: Edward O'Callaghan <quasisec@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
Reviewed-by: Sam McNally <sammc@chromium.org>

1 files changed, 5 insertions, 12 deletions

diff --git a/host/lib/flashrom_drv.c b/host/lib/flashrom_drv.c
index a9889cc9..880a0fc9 100644
--- a/host/lib/flashrom_drv.c
+++ b/host/lib/flashrom_drv.c
@@ -80,19 +80,12 @@ static int flashrom_read_image_impl(struct firmware_image *image,
 	flashrom_flag_set(flashctx, FLASHROM_FLAG_SKIP_UNREADABLE_REGIONS, true);
 
 	if (region) {
-		r = flashrom_layout_read_fmap_from_buffer(
-			&layout, flashctx, (const uint8_t *)image->data,
-			image->size);
+		r = flashrom_layout_read_fmap_from_rom(
+			&layout, flashctx, 0, len);
 		if (r > 0) {
-			WARN("could not read fmap from image, r=%d, "
-				"falling back to read from rom\n", r);
-			r = flashrom_layout_read_fmap_from_rom(
-				&layout, flashctx, 0, len);
-			if (r > 0) {
-				ERROR("could not read fmap from rom, r=%d\n", r);
-				r = -1;
-				goto err_cleanup;
-			}
+			ERROR("could not read fmap from rom, r=%d\n", r);
+			r = -1;
+			goto err_cleanup;
 		}
 		// empty region causes seg fault in API.
 		r |= flashrom_layout_include_region(layout, region);