From patchwork Fri Nov 18 11:50:24 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikhail Ilin <ilin.mikhail.ol@gmail.com>
X-Patchwork-Id: 1705584
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20210112 header.b=ewp0NEt5;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4NDGWk6gbWz23mH
	for <incoming@patchwork.ozlabs.org>; Fri, 18 Nov 2022 23:37:22 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 3725284F6B;
	Fri, 18 Nov 2022 13:36:45 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.b="ewp0NEt5";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id BC1F685246; Fri, 18 Nov 2022 12:50:35 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com
 [IPv6:2a00:1450:4864:20::130])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id AE64B84D9F
 for <u-boot@lists.denx.de>; Fri, 18 Nov 2022 12:50:32 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ilin.mikhail.ol@gmail.com
Received: by mail-lf1-x130.google.com with SMTP id d6so7809049lfs.10
 for <u-boot@lists.denx.de>; Fri, 18 Nov 2022 03:50:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=IxIJIEGBKeSlgw8ajMVp3/f2PL3LL0rg3jRfvAQ3/Yk=;
 b=ewp0NEt5rvxAy1Vbsq+n7HGyS2mcresvdpafmndqJNF6Y276Dn7u0WdT2Tyo9fSSdT
 tSatZu/TT1Q0UbJdCdovZio0M4CBj6rGktSX9ig+UOVe3ARSjhJ0tXvcDHHifGtsbC8d
 eQykNILiU5v4czxlunkbCPj4o4vop74O6CSlUDjpUqdgPlUz4Nq6xpEXOQ77kXTs+/LV
 NKvHC1fK8NfSF283BfJ666J4EN/HFSw3mjIXuw7jCbY18MtyT/0a51qT+xtzsO+II5mS
 P2Bh7G1IWptDFRMxbGBzMCW7s+SuOSuw4OWVgZOGFtjjOuKs3hODUn+jMcoOfOsxGGyN
 uDeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=IxIJIEGBKeSlgw8ajMVp3/f2PL3LL0rg3jRfvAQ3/Yk=;
 b=2O79pnHYZVxmgtpQo4oHUDdU4RuXShSttkkYYseBKDAUHJeHQTXndZJknzk0Oo1HfV
 O/QGUEa4MW35SMKOq5jjDyJn5Ko9Q1HD/J1F8C51vp7bzrjYPBYu52mYqKRD5NF6RutZ
 KeZwUuH8nkF/oLAlFVuB00/piMRr2HdZSCnZX+DGO6rkRhNBZEgipsUFjJcld+9ya4Du
 F4MZItTRvYVFtLR4CkJThbS9OwqxGb0QpQmkhhs3JUffNBW0OQOczI8tnqNSQagJzFDA
 Ac7hHo+0D3XSwRRDLAShtOIiFSrtLCE3LwFBAzm+iW022/EktyNmYcqoPJEcFTzdllrJ
 XpvA==
X-Gm-Message-State: ANoB5pmp81UdeXbBIZdmKjDh9c6xs6V272zkuXQRycJUgEL3WEM3iQpm
 J30HH5vN9yWoai6DTjUL4hugjuEuvBg3IKDj
X-Google-Smtp-Source: 
 AA0mqf5JqHLMjSAlhZpGEysAxRiLXjyne+JaXP7X9orYsf62Nr5JQVUgDRDJIqI4EAx+Ed7LEZSu6A==
X-Received: by 2002:a05:6512:2c86:b0:4a2:6df5:edb9 with SMTP id
 dw6-20020a0565122c8600b004a26df5edb9mr2425536lfb.675.1668772231566;
 Fri, 18 Nov 2022 03:50:31 -0800 (PST)
Received: from milin-wrk.rasu.local ([178.70.40.200])
 by smtp.gmail.com with ESMTPSA id
 9-20020ac25f09000000b004a2386b8cf9sm629585lfq.206.2022.11.18.03.50.30
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 18 Nov 2022 03:50:31 -0800 (PST)
From: Mikhail Ilin <ilin.mikhail.ol@gmail.com>
To: u-boot@lists.denx.de
Cc: Mikhail Ilin <ilin.mikhail.ol@gmail.com>
Subject: [PATCH] tool: ifwitool: Fix buffer overflow
Date: Fri, 18 Nov 2022 14:50:24 +0300
Message-Id: <20221118115024.9092-1-ilin.mikhail.ol@gmail.com>
X-Mailer: git-send-email 2.17.1
X-Mailman-Approved-At: Fri, 18 Nov 2022 13:36:05 +0100
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

An incorrect 1st parameter is passed to the fix_member()
 function. Should use a pointer to the beginning of the parent structure
 (bpdt or subpart_dir, because are boxed), not to their fields. Otherwise,
 this leads to an overrun of the structure boundary, since in the
 fix_member() function, an 'offset' is made, relative to the 1st argument,
 which itself is an 'offset' from the beginning of the structure.

Signed-off-by: Mikhail Ilin <ilin.mikhail.ol@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
---
 tools/ifwitool.c | 44 +++++++++++++++++++-------------------------
 1 file changed, 19 insertions(+), 25 deletions(-)

diff --git a/tools/ifwitool.c b/tools/ifwitool.c
index 543e9d4e70..5cc0981411 100644
--- a/tools/ifwitool.c
+++ b/tools/ifwitool.c
@@ -1443,23 +1443,20 @@ static void bpdt_fixup_write_buffer(struct buffer *buf)
 
 	size_t offset = 0;
 
-	offset = fix_member(&h->signature, offset, sizeof(h->signature));
-	offset = fix_member(&h->descriptor_count, offset,
-			    sizeof(h->descriptor_count));
-	offset = fix_member(&h->bpdt_version, offset, sizeof(h->bpdt_version));
-	offset = fix_member(&h->xor_redundant_block, offset,
-			    sizeof(h->xor_redundant_block));
-	offset = fix_member(&h->ifwi_version, offset, sizeof(h->ifwi_version));
-	offset = fix_member(&h->fit_tool_version, offset,
-			    sizeof(h->fit_tool_version));
+	offset = fix_member(&s, offset, sizeof(h->signature));
+	offset = fix_member(&s, offset, sizeof(h->descriptor_count));
+	offset = fix_member(&s, offset, sizeof(h->bpdt_version));
+	offset = fix_member(&s, offset, sizeof(h->xor_redundant_block));
+	offset = fix_member(&s, offset, sizeof(h->ifwi_version));
+	offset = fix_member(&s, offset, sizeof(h->fit_tool_version));
 
 	uint32_t i;
 
 	for (i = 0; i < count; i++) {
-		offset = fix_member(&e[i].type, offset, sizeof(e[i].type));
-		offset = fix_member(&e[i].flags, offset, sizeof(e[i].flags));
-		offset = fix_member(&e[i].offset, offset, sizeof(e[i].offset));
-		offset = fix_member(&e[i].size, offset, sizeof(e[i].size));
+		offset = fix_member(&s, offset, sizeof(e[i].type));
+		offset = fix_member(&s, offset, sizeof(e[i].flags));
+		offset = fix_member(&s, offset, sizeof(e[i].offset));
+		offset = fix_member(&s, offset, sizeof(e[i].size));
 	}
 }
 
@@ -1657,24 +1654,21 @@ static void subpart_dir_fixup_write_buffer(struct buffer *buf)
 	size_t count = h->num_entries;
 	size_t offset = 0;
 
-	offset = fix_member(&h->marker, offset, sizeof(h->marker));
-	offset = fix_member(&h->num_entries, offset, sizeof(h->num_entries));
-	offset = fix_member(&h->header_version, offset,
-			    sizeof(h->header_version));
-	offset = fix_member(&h->entry_version, offset,
-			    sizeof(h->entry_version));
-	offset = fix_member(&h->header_length, offset,
-			    sizeof(h->header_length));
-	offset = fix_member(&h->checksum, offset, sizeof(h->checksum));
+	offset = fix_member(&s, offset, sizeof(h->marker));
+	offset = fix_member(&s, offset, sizeof(h->num_entries));
+	offset = fix_member(&s, offset, sizeof(h->header_version));
+	offset = fix_member(&s, offset, sizeof(h->entry_version));
+	offset = fix_member(&s, offset, sizeof(h->header_length));
+	offset = fix_member(&s, offset, sizeof(h->checksum));
 	offset += sizeof(h->name);
 
 	uint32_t i;
 
 	for (i = 0; i < count; i++) {
 		offset += sizeof(e[i].name);
-		offset = fix_member(&e[i].offset, offset, sizeof(e[i].offset));
-		offset = fix_member(&e[i].length, offset, sizeof(e[i].length));
-		offset = fix_member(&e[i].rsvd, offset, sizeof(e[i].rsvd));
+		offset = fix_member(&s, offset, sizeof(e[i].offset));
+		offset = fix_member(&s, offset, sizeof(e[i].length));
+		offset = fix_member(&s, offset, sizeof(e[i].rsvd));
 	}
 }