Re: [U-Boot] [PATCH] kwbimage: Fix out of bounds access
On 15.03.2018 11:14, Alexander Graf wrote: The kwbimage format is reading beyond its header structure if it misdetects a Xilinx Zynq image and tries to read it. Fix it by sanity checking that the header we want to read fits inside our file size. Signed-off-by: Alexander Graf--- tools/kwbimage.c | 4 1 file changed, 4 insertions(+) diff --git a/tools/kwbimage.c b/tools/kwbimage.c index 3ca3b3b4a6..26686ad30f 100644 --- a/tools/kwbimage.c +++ b/tools/kwbimage.c @@ -1616,6 +1616,10 @@ static int kwbimage_verify_header(unsigned char *ptr, int image_size, struct image_tool_params *params) { uint8_t checksum; + size_t header_size = kwbimage_header_size(ptr); + + if (header_size > image_size) + return -FDT_ERR_BADSTRUCTURE; if (!main_hdr_checksum_ok(ptr)) return -FDT_ERR_BADSTRUCTURE; Applied to u-boot-marvell/master. Thanks, Stefan ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
Re: [U-Boot] [PATCH] kwbimage: Fix out of bounds access
On 15.03.2018 11:14, Alexander Graf wrote: The kwbimage format is reading beyond its header structure if it misdetects a Xilinx Zynq image and tries to read it. Fix it by sanity checking that the header we want to read fits inside our file size. Signed-off-by: Alexander Graf--- tools/kwbimage.c | 4 1 file changed, 4 insertions(+) diff --git a/tools/kwbimage.c b/tools/kwbimage.c index 3ca3b3b4a6..26686ad30f 100644 --- a/tools/kwbimage.c +++ b/tools/kwbimage.c @@ -1616,6 +1616,10 @@ static int kwbimage_verify_header(unsigned char *ptr, int image_size, struct image_tool_params *params) { uint8_t checksum; + size_t header_size = kwbimage_header_size(ptr); + + if (header_size > image_size) + return -FDT_ERR_BADSTRUCTURE; if (!main_hdr_checksum_ok(ptr)) return -FDT_ERR_BADSTRUCTURE; Reviewed-by: Stefan Roese Thanks, Stefan ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
Re: [U-Boot] [PATCH] kwbimage: Fix out of bounds access
On 15.3.2018 11:14, Alexander Graf wrote: > The kwbimage format is reading beyond its header structure if it > misdetects a Xilinx Zynq image and tries to read it. Fix it by > sanity checking that the header we want to read fits inside our > file size. > > Signed-off-by: Alexander Graf> --- > tools/kwbimage.c | 4 > 1 file changed, 4 insertions(+) > > diff --git a/tools/kwbimage.c b/tools/kwbimage.c > index 3ca3b3b4a6..26686ad30f 100644 > --- a/tools/kwbimage.c > +++ b/tools/kwbimage.c > @@ -1616,6 +1616,10 @@ static int kwbimage_verify_header(unsigned char *ptr, > int image_size, > struct image_tool_params *params) > { > uint8_t checksum; > + size_t header_size = kwbimage_header_size(ptr); > + > + if (header_size > image_size) > + return -FDT_ERR_BADSTRUCTURE; > > if (!main_hdr_checksum_ok(ptr)) > return -FDT_ERR_BADSTRUCTURE; > Tested-by: Michal Simek Thanks, Michal ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
[U-Boot] [PATCH] kwbimage: Fix out of bounds access
The kwbimage format is reading beyond its header structure if it misdetects a Xilinx Zynq image and tries to read it. Fix it by sanity checking that the header we want to read fits inside our file size. Signed-off-by: Alexander Graf--- tools/kwbimage.c | 4 1 file changed, 4 insertions(+) diff --git a/tools/kwbimage.c b/tools/kwbimage.c index 3ca3b3b4a6..26686ad30f 100644 --- a/tools/kwbimage.c +++ b/tools/kwbimage.c @@ -1616,6 +1616,10 @@ static int kwbimage_verify_header(unsigned char *ptr, int image_size, struct image_tool_params *params) { uint8_t checksum; + size_t header_size = kwbimage_header_size(ptr); + + if (header_size > image_size) + return -FDT_ERR_BADSTRUCTURE; if (!main_hdr_checksum_ok(ptr)) return -FDT_ERR_BADSTRUCTURE; -- 2.12.3 ___ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot