spl: ymodem: Fix buffer overflow during Image copy

Message ID	20220131041919.1679901-1-vigneshr@ti.com
State	Accepted
Commit	c1335e2ca5e3947a61d93c094fbb4a9be9afc4ff
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Vignesh Raghavendra <vigneshr@ti.com> To: Tom Rini <trini@konsulko.com> CC: Stefan Roese <sr@denx.de>, Alexandru Gagniuc <mr.nuke.me@gmail.com>, <u-boot@lists.denx.de>, Vignesh Raghavendra <vigneshr@ti.com> Subject: [PATCH] spl: ymodem: Fix buffer overflow during Image copy Date: Mon, 31 Jan 2022 09:49:19 +0530 Message-ID: <20220131041919.1679901-1-vigneshr@ti.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	spl: ymodem: Fix buffer overflow during Image copy \| expand spl: ymodem: Fix buffer overflow during Image copy

Message ID

20220131041919.1679901-1-vigneshr@ti.com

State

Accepted

Commit

c1335e2ca5e3947a61d93c094fbb4a9be9afc4ff

Delegated to:

Tom Rini

Headers

show

Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (1024-bit key;
 unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256
 header.s=ti-com-17Q1 header.b=GM7VqBg7;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4JnFGD68W6z9sFr
	for <incoming@patchwork.ozlabs.org>; Mon, 31 Jan 2022 15:20:02 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 5F46883035;
	Mon, 31 Jan 2022 05:19:54 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=quarantine dis=none) header.from=ti.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 unprotected) header.d=ti.com header.i=@ti.com header.b="GM7VqBg7";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 291D883035; Mon, 31 Jan 2022 05:19:53 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,
 SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
 autolearn_force=no version=3.4.2
Received: from fllv0015.ext.ti.com (fllv0015.ext.ti.com [198.47.19.141])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 65B8E82A59
 for <u-boot@lists.denx.de>; Mon, 31 Jan 2022 05:19:50 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=quarantine dis=none) header.from=ti.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=vigneshr@ti.com
Received: from lelv0265.itg.ti.com ([10.180.67.224])
 by fllv0015.ext.ti.com (8.15.2/8.15.2) with ESMTP id 20V4JhKU052919;
 Sun, 30 Jan 2022 22:19:43 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com;
 s=ti-com-17Q1; t=1643602783;
 bh=9qj298DbRThRt+FrxJVYpAT50Lg1bRk89t+nHweSAxQ=;
 h=From:To:CC:Subject:Date;
 b=GM7VqBg7WmUiy4O8pBBYfE7njtecMhs0iiLc/P5wwgeKoJV04LFGfxWuqLBIIel60
 YphSk12xCEpvIo2DZrrruq0f31/ST5Ab2GlZkUtkHyeXi6KhxPI7fryf89ufUljRIg
 NxFOSivoeitg4YVQcRB4bVo6xtzqXwOSlBeKHGmQ=
Received: from DFLE113.ent.ti.com (dfle113.ent.ti.com [10.64.6.34])
 by lelv0265.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 20V4JhF2109686
 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL);
 Sun, 30 Jan 2022 22:19:43 -0600
Received: from DFLE101.ent.ti.com (10.64.6.22) by DFLE113.ent.ti.com
 (10.64.6.34) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.14; Sun, 30
 Jan 2022 22:19:43 -0600
Received: from lelv0327.itg.ti.com (10.180.67.183) by DFLE101.ent.ti.com
 (10.64.6.22) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.14 via
 Frontend Transport; Sun, 30 Jan 2022 22:19:43 -0600
Received: from ula0132425.ent.ti.com (ileax41-snat.itg.ti.com
 [10.172.224.153])
 by lelv0327.itg.ti.com (8.15.2/8.15.2) with ESMTP id 20V4Jew8125421;
 Sun, 30 Jan 2022 22:19:41 -0600
From: Vignesh Raghavendra <vigneshr@ti.com>
To: Tom Rini <trini@konsulko.com>
CC: Stefan Roese <sr@denx.de>, Alexandru Gagniuc <mr.nuke.me@gmail.com>,
 <u-boot@lists.denx.de>, Vignesh Raghavendra <vigneshr@ti.com>
Subject: [PATCH] spl: ymodem: Fix buffer overflow during Image copy
Date: Mon, 31 Jan 2022 09:49:19 +0530
Message-ID: <20220131041919.1679901-1-vigneshr@ti.com>
X-Mailer: git-send-email 2.35.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

Series

spl: ymodem: Fix buffer overflow during Image copy | expand

Commit Message

Raghavendra, Vignesh Jan. 31, 2022, 4:19 a.m. UTC

ymodem_read_fit() driver will end copying up to BUF_SIZE boundary even
when requested size of copy operation is less than that.
For example, if offset = 0, size = 1440B, ymodem_read_fit() ends up
copying 2KB from offset = 0, to destination buffer addr

This causes data corruption when malloc'd buffer is passed during UART
boot since commit 03f1f78a9b44 ("spl: fit: Prefer a malloc()'d buffer
for loading images")

With this, UART boot works again on K3 (AM654, J7, AM64) family of
devices.

Fixes: 03f1f78a9b44 ("spl: fit: Prefer a malloc()'d buffer for loading images")
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
---
 common/spl/spl_ymodem.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

Comments

Tom Rini Feb. 4, 2022, 12:41 a.m. UTC | #1

On Mon, Jan 31, 2022 at 09:49:19AM +0530, Vignesh Raghavendra wrote:

> ymodem_read_fit() driver will end copying up to BUF_SIZE boundary even
> when requested size of copy operation is less than that.
> For example, if offset = 0, size = 1440B, ymodem_read_fit() ends up
> copying 2KB from offset = 0, to destination buffer addr
> 
> This causes data corruption when malloc'd buffer is passed during UART
> boot since commit 03f1f78a9b44 ("spl: fit: Prefer a malloc()'d buffer
> for loading images")
> 
> With this, UART boot works again on K3 (AM654, J7, AM64) family of
> devices.
> 
> Fixes: 03f1f78a9b44 ("spl: fit: Prefer a malloc()'d buffer for loading images")
> Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>

Applied to u-boot/master, thanks!

diff --git a/common/spl/spl_ymodem.c b/common/spl/spl_ymodem.c
index 047df74856..fdd5261042 100644
--- a/common/spl/spl_ymodem.c
+++ b/common/spl/spl_ymodem.c
@@ -42,6 +42,7 @@  static ulong ymodem_read_fit(struct spl_load_info *load, ulong offset,
 	int res, err, buf_offset;
 	struct ymodem_fit_info *info = load->priv;
 	char *buf = info->buf;
+	ulong copy_size = size;
 
 	while (info->image_read < offset) {
 		res = xyzModem_stream_read(buf, BUF_SIZE, &err);
@@ -57,8 +58,14 @@  static ulong ymodem_read_fit(struct spl_load_info *load, ulong offset,
 			buf_offset = (info->image_read % BUF_SIZE);
 		else
 			buf_offset = BUF_SIZE;
+
+		if (res > copy_size) {
+			memcpy(addr, &buf[buf_offset - res], copy_size);
+			goto done;
+		}
 		memcpy(addr, &buf[buf_offset - res], res);
 		addr = addr + res;
+		copy_size -= res;
 	}
 
 	while (info->image_read < offset + size) {
@@ -66,11 +73,17 @@  static ulong ymodem_read_fit(struct spl_load_info *load, ulong offset,
 		if (res <= 0)
 			break;
 
-		memcpy(addr, buf, res);
 		info->image_read += res;
+		if (res > copy_size) {
+			memcpy(addr, buf, copy_size);
+			goto done;
+		}
+		memcpy(addr, buf, res);
 		addr += res;
+		copy_size -= res;
 	}
 
+done:
 	return size;
 }

spl: ymodem: Fix buffer overflow during Image copy

Commit Message

Comments

Patch