diff options
| author | Eugeniu Rosca <erosca@de.adit-jv.com> | 2019-03-14 18:31:39 +0100 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2019-03-22 12:15:18 -0400 |
| commit | e63bf1b13b3a7ac610c238cc19041381e890900f (patch) | |
| tree | 7ec45f027257bc49f2948215e43b0280893fb9a6 | |
| parent | 72987d38f6170f5fe4a592f5fc542543704e6d39 (diff) | |
| download | u-boot-e63bf1b13b3a7ac610c238cc19041381e890900f.tar.gz | |
common: image-android-dt: Fix out-of-bounds access
Currently, 'dtimg' allows users to check indexes equal to
dt_entry_count [1]. Forbid that [2].
[1] Behavior w/o the patch:
=> ext2load mmc 0:1 0x48000000 dtb.img
105695 bytes read in 5 ms (20.2 MiB/s)
=> dtimg dump 0x48000000
dt_table_header:
magic = d7b7ab1e
total_size = 105695
header_size = 32
dt_entry_size = 32
dt_entry_count = 2
dt_entries_offset = 32
page_size = 4096
version = 0
dt_table_entry[0]:
dt_size = 105599
dt_offset = 96
id = 0b779520
rev = 00000000
custom[0] = 00000000
custom[1] = 00000000
custom[2] = 00000000
custom[3] = 00000000
(FDT)size = 105599
(FDT)compatible = shimafuji,kingfisher
dt_table_entry[1]:
dt_size = 105599
dt_offset = 96
id = 0b779530
rev = 00000000
custom[0] = 00000000
custom[1] = 00000000
custom[2] = 00000000
custom[3] = 00000000
(FDT)size = 105599
(FDT)compatible = shimafuji,kingfisher
=> dtimg size 0x48000000 0 z; print z
z=19c7f
=> dtimg size 0x48000000 1 z; print z
z=19c7f
=> dtimg size 0x48000000 2 z; print z
z=d00dfeed
=> dtimg size 0x48000000 3 z
Error: index > dt_entry_count (3 > 2)
[2] Behavior with the patch:
=> dtimg size 0x48000000 0 z; print z
z=19c7f
=> dtimg size 0x48000000 1 z; print z
z=19c7f
=> dtimg size 0x48000000 2 z
Error: index >= dt_entry_count (2 >= 2)
Fixes: c04473345712 ("common: Add support for Android DT image")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
| -rw-r--r-- | common/image-android-dt.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/common/image-android-dt.c b/common/image-android-dt.c index c0683ee70f..6916826179 100644 --- a/common/image-android-dt.c +++ b/common/image-android-dt.c @@ -53,8 +53,8 @@ bool android_dt_get_fdt_by_index(ulong hdr_addr, u32 index, ulong *addr, entry_size = fdt32_to_cpu(hdr->dt_entry_size); unmap_sysmem(hdr); - if (index > entry_count) { - printf("Error: index > dt_entry_count (%u > %u)\n", index, + if (index >= entry_count) { + printf("Error: index >= dt_entry_count (%u >= %u)\n", index, entry_count); return false; } |