From patchwork Sun Jul  5 00:35:55 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Giancarlo Canales <gcanalesb@me.com>
X-Patchwork-Id: 491295
Return-Path: <linux-tegra-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 48D42140D2D
	for <incoming@patchwork.ozlabs.org>;
	Sun,  5 Jul 2015 19:36:07 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754770AbbGEJgG (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Sun, 5 Jul 2015 05:36:06 -0400
Received: from st11p06im-asmtp001.me.com ([17.172.125.149]:38682 "EHLO
	st11p06im-asmtp001.me.com" rhost-flags-OK-OK-OK-OK) by
	vger.kernel.org
	with ESMTP id S1753040AbbGEJgF convert rfc822-to-8bit (ORCPT
	<rfc822; linux-tegra@vger.kernel.org>); Sun, 5 Jul 2015 05:36:05 -0400
X-Greylist: delayed 1977 seconds by postgrey-1.27 at vger.kernel.org;
	Sun, 05 Jul 2015 05:36:05 EDT
Received: from gcbs-mac-mini.home
	(pool-108-28-145-26.washdc.fios.verizon.net [108.28.145.26])
	by st11p06im-asmtp001.me.com
	(Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Mar
	31 2015))
	with ESMTPSA id <0NQZ0125LOBVXQ00@st11p06im-asmtp001.me.com> for
	linux-tegra@vger.kernel.org; Sun, 05 Jul 2015 00:35:56 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure
	engine=2.50.10432:5.14.151,1.0.33,0.0.0000
	definitions=2015-07-05_02:2015-07-03, 2015-07-04,
	1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
	suspectscore=4 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
	adjust=0
	reason=mlx scancount=1 engine=7.0.1-1412110000
	definitions=main-1507050007
From: Giancarlo Canales <gcanalesb@me.com>
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 8BIT
Subject: [cbootimage PATCH] tN: if_bct_is_tN_get_soc_config: Adds bounds
	checking to the BCT buffer.
Message-id: <E8E25517-CD76-4F00-B711-9EC26951C9F9@me.com>
Date: Sat, 04 Jul 2015 20:35:55 -0400
To: linux-tegra@vger.kernel.org
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2098\))
X-Mailer: Apple Mail (2.2098)
Sender: linux-tegra-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-tegra.vger.kernel.org>
X-Mailing-List: linux-tegra@vger.kernel.org

Checks if the BCT buffer is too small to be a valid `nvboot_config_table`.

Signed-off-by: Giancarlo Canales Barreto <gcanalesb@me.com>
---
src/t114/nvbctlib_t114.c | 3 +++
src/t124/nvbctlib_t124.c | 3 +++
src/t132/nvbctlib_t132.c | 3 +++
src/t20/nvbctlib_t20.c   | 3 +++
src/t210/nvbctlib_t210.c | 3 +++
src/t30/nvbctlib_t30.c   | 3 +++
6 files changed, 18 insertions(+)

--
2.1.4--
To unsubscribe from this list: send the line "unsubscribe linux-tegra" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/src/t114/nvbctlib_t114.c b/src/t114/nvbctlib_t114.c
index dad8f4f..df68369 100644
--- a/src/t114/nvbctlib_t114.c
+++ b/src/t114/nvbctlib_t114.c
@@ -1139,6 +1139,9 @@ int if_bct_is_t114_get_soc_config(build_image_context *context,
{
	nvboot_config_table * bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
	if (bct->boot_data_version == BOOTDATA_VERSION_T114)
	{
		t114_get_soc_config(context, soc_config);
diff --git a/src/t124/nvbctlib_t124.c b/src/t124/nvbctlib_t124.c
index 5df93cd..1f6dc05 100644
--- a/src/t124/nvbctlib_t124.c
+++ b/src/t124/nvbctlib_t124.c
@@ -1152,6 +1152,9 @@ int if_bct_is_t124_get_soc_config(build_image_context *context,
{
	nvboot_config_table *bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
	if (bct->boot_data_version == BOOTDATA_VERSION_T124) {
		t124_get_soc_config(context, soc_config);
		return 1;
diff --git a/src/t132/nvbctlib_t132.c b/src/t132/nvbctlib_t132.c
index ab5ab34..4e5d31a 100644
--- a/src/t132/nvbctlib_t132.c
+++ b/src/t132/nvbctlib_t132.c
@@ -1233,6 +1233,9 @@ int if_bct_is_t132_get_soc_config(build_image_context *context,
{
	nvboot_config_table *bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
	if (bct->boot_data_version == BOOTDATA_VERSION_T132) {
		t132_get_soc_config(context, soc_config);
		return 1;
diff --git a/src/t20/nvbctlib_t20.c b/src/t20/nvbctlib_t20.c
index 4e07bf2..813806f 100644
--- a/src/t20/nvbctlib_t20.c
+++ b/src/t20/nvbctlib_t20.c
@@ -719,6 +719,9 @@ int if_bct_is_t20_get_soc_config(build_image_context *context,
	cbootimage_soc_config **soc_config)
{
	nvboot_config_table * bct = (nvboot_config_table *) context->bct;
+
+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;

	if (bct->boot_data_version == BOOTDATA_VERSION_T20)
	{
diff --git a/src/t210/nvbctlib_t210.c b/src/t210/nvbctlib_t210.c
index 9921bbb..46da441 100644
--- a/src/t210/nvbctlib_t210.c
+++ b/src/t210/nvbctlib_t210.c
@@ -2306,6 +2306,9 @@ int if_bct_is_t210_get_soc_config(build_image_context *context,
{
	nvboot_config_table *bct = (nvboot_config_table*) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
	if (bct->boot_data_version == BOOTDATA_VERSION_T210) {
		t210_get_soc_config(context, soc_config);
		return 1;
diff --git a/src/t30/nvbctlib_t30.c b/src/t30/nvbctlib_t30.c
index df3bef0..3590c89 100644
--- a/src/t30/nvbctlib_t30.c
+++ b/src/t30/nvbctlib_t30.c
@@ -927,6 +927,9 @@ int if_bct_is_t30_get_soc_config(build_image_context *context,
{
	nvboot_config_table * bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
	if (bct->boot_data_version == BOOTDATA_VERSION_T30)
	{
		t30_get_soc_config(context, soc_config);