Patchwork [U-Boot,6/6] bootm: allow correct bounds-check of destination

login
register
mail settings
Submitter Kees Cook
Date Aug. 16, 2013, 2:59 p.m.
Message ID <1376665157-31268-7-git-send-email-keescook@chromium.org>
Download mbox | patch
Permalink /patch/267676/
State Accepted
Delegated to: Tom Rini
Headers show

Comments

Kees Cook - Aug. 16, 2013, 2:59 p.m.
While nothing presently examines the destination size, it should at
least be correct so that future users of sys_mapmem() will not be
surprised. Without this, it might be possible to overflow memory.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
---
 common/cmd_bootm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch

diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c
index 046e22f..0f67112 100644
--- a/common/cmd_bootm.c
+++ b/common/cmd_bootm.c
@@ -368,7 +368,7 @@  static int bootm_load_os(bootm_headers_t *images, unsigned long *load_end,
 
 	const char *type_name = genimg_get_type_name(os.type);
 
-	load_buf = map_sysmem(load, image_len);
+	load_buf = map_sysmem(load, unc_len);
 	image_buf = map_sysmem(image_start, image_len);
 	switch (comp) {
 	case IH_COMP_NONE: