| Message ID | 20230323195755.5131-5-pali@kernel.org |
|---|---|
| State | Accepted |
| Commit | bb949e1da02b1744645e0c3a46fe9c2a67197fe8 |
| Delegated to: | Stefan Roese |
| Headers | show |
| Series | mvebu: Fix UART booting | expand |
On 3/23/23 20:57, Pali Rohár wrote: > Sending of very small images (smaller than 128 bytes = xmodem block size) > cause out-of-bound memory read access. Fix this issue by ensuring that > hdrsz when sending image is not larger than total size of the image. > Issue was introduced in commit f8017c37799c ("tools: kwboot: Fix sending > Kirkwood v0 images"). Special case when total image is smaller than header > size aligned to multiply of xmodem size is already handled since that > commit. > > Fixes: f8017c37799c ("tools: kwboot: Fix sending Kirkwood v0 images") > Signed-off-by: Pali Rohár <pali@kernel.org> Reviewed-by: Stefan Roese <sr@denx.de> Thanks, Stefan > --- > tools/kwboot.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/tools/kwboot.c b/tools/kwboot.c > index 23a893a9b9f8..1cf78dda6755 100644 > --- a/tools/kwboot.c > +++ b/tools/kwboot.c > @@ -1458,6 +1458,8 @@ kwboot_xmodem(int tty, const void *_img, size_t size, int baudrate) > * followed by the header. So align header size to xmodem block size. > */ > hdrsz += (KWBOOT_XM_BLKSZ - hdrsz % KWBOOT_XM_BLKSZ) % KWBOOT_XM_BLKSZ; > + if (hdrsz > size) > + hdrsz = size; > > pnum = 1; > Viele Grüße, Stefan Roese
diff --git a/tools/kwboot.c b/tools/kwboot.c index 23a893a9b9f8..1cf78dda6755 100644 --- a/tools/kwboot.c +++ b/tools/kwboot.c @@ -1458,6 +1458,8 @@ kwboot_xmodem(int tty, const void *_img, size_t size, int baudrate) * followed by the header. So align header size to xmodem block size. */ hdrsz += (KWBOOT_XM_BLKSZ - hdrsz % KWBOOT_XM_BLKSZ) % KWBOOT_XM_BLKSZ; + if (hdrsz > size) + hdrsz = size; pnum = 1;
Sending of very small images (smaller than 128 bytes = xmodem block size) cause out-of-bound memory read access. Fix this issue by ensuring that hdrsz when sending image is not larger than total size of the image. Issue was introduced in commit f8017c37799c ("tools: kwboot: Fix sending Kirkwood v0 images"). Special case when total image is smaller than header size aligned to multiply of xmodem size is already handled since that commit. Fixes: f8017c37799c ("tools: kwboot: Fix sending Kirkwood v0 images") Signed-off-by: Pali Rohár <pali@kernel.org> --- tools/kwboot.c | 2 ++ 1 file changed, 2 insertions(+)