On Fri, 05 Jun 2026 15:42:48 +0000, Aristo Chen wrote:
> For a compressed kernel_noload image, bootm_load_os() allocates a
> decompression buffer of ALIGN(image_len * 4, SZ_1M) and then passes
> CONFIG_SYS_BOOTM_LEN (typically 128 MiB on arm64) to image_decomp() as
> the output limit. The decompressors honour whatever limit they are
> given, so a kernel that decompresses to more than four times its
> compressed size runs past the end of the allocated buffer and silently
> corrupts adjacent memory.
>
> [...]
Applied to u-boot/next, thanks!
[1/3] bootm: fix overflow of the noload kernel decompression buffer
commit: 2ff26c1e37858ba0b2fd12c82e114a3cedcb317a
[2/3] bootm: increase kernel_noload decompression headroom from 4x to 8x
commit: 4956f108539135afb1afdec2b509f62291087d16
[3/3] test/py: test kernel_noload decompression buffer overflow
commit: a7ea33e3a35860326aeb5792f337bd9082d40ecf
--
Tom
