* [PATCH] reloc_bootstage: Fix out-of-bounds read
@ 2024-07-12 8:11 Richard Weinberger
2024-07-13 15:13 ` Simon Glass
0 siblings, 1 reply; 4+ messages in thread
From: Richard Weinberger @ 2024-07-12 8:11 UTC (permalink / raw)
To: u-boot
Cc: patrick.delaunay, yangshiji66, raymond.mao, n-jain1, eugeneuriev,
ilias.apalodimas, devarsht, bmeng.cn, sjg, trini, upstream+uboot,
Richard Weinberger
bootstage_get_size() returns the total size of the data structure
including associated records.
When copying from gd->bootstage, only the allocation size of gd->bootstage
must be used. Otherwise too much memory is copied.
This bug caused no harm so far because gd->new_bootstage is always
large enough and reading beyond the allocation length of gd->bootstage
caused no problem due to the U-Boot memory layout.
Fix by using the correct size and perform the initial copy directly
in bootstage_relocate() to have the whole relocation process in the
same function.
Signed-off-by: Richard Weinberger <richard@nod.at>
---
common/board_f.c | 6 ------
common/bootstage.c | 7 ++++++-
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/common/board_f.c b/common/board_f.c
index 039d6d712d..f4d87692b9 100644
--- a/common/board_f.c
+++ b/common/board_f.c
@@ -683,12 +683,6 @@ static int reloc_bootstage(void)
if (gd->flags & GD_FLG_SKIP_RELOC)
return 0;
if (gd->new_bootstage) {
- int size = bootstage_get_size();
-
- debug("Copying bootstage from %p to %p, size %x\n",
- gd->bootstage, gd->new_bootstage, size);
- memcpy(gd->new_bootstage, gd->bootstage, size);
- gd->bootstage = gd->new_bootstage;
bootstage_relocate();
}
#endif
diff --git a/common/bootstage.c b/common/bootstage.c
index 0e6d80718f..aea5a318df 100644
--- a/common/bootstage.c
+++ b/common/bootstage.c
@@ -58,10 +58,15 @@ struct bootstage_hdr {
int bootstage_relocate(void)
{
- struct bootstage_data *data = gd->bootstage;
+ struct bootstage_data *data;
int i;
char *ptr;
+ debug("Copying bootstage from %p to %p\n", gd->bootstage,
+ gd->new_bootstage);
+ memcpy(gd->new_bootstage, gd->bootstage, sizeof(struct bootstage_data));
+ data = gd->bootstage = gd->new_bootstage;
+
/* Figure out where to relocate the strings to */
ptr = (char *)(data + 1);
--
2.35.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] reloc_bootstage: Fix out-of-bounds read
2024-07-12 8:11 [PATCH] reloc_bootstage: Fix out-of-bounds read Richard Weinberger
@ 2024-07-13 15:13 ` Simon Glass
2024-07-29 21:57 ` Richard Weinberger
0 siblings, 1 reply; 4+ messages in thread
From: Simon Glass @ 2024-07-13 15:13 UTC (permalink / raw)
To: Richard Weinberger
Cc: u-boot, patrick.delaunay, yangshiji66, raymond.mao, n-jain1,
eugeneuriev, ilias.apalodimas, devarsht, bmeng.cn, trini,
upstream+uboot
Hi Richard,
On Fri, 12 Jul 2024 at 09:11, Richard Weinberger <richard@nod.at> wrote:
>
> bootstage_get_size() returns the total size of the data structure
> including associated records.
> When copying from gd->bootstage, only the allocation size of gd->bootstage
> must be used. Otherwise too much memory is copied.
>
> This bug caused no harm so far because gd->new_bootstage is always
> large enough and reading beyond the allocation length of gd->bootstage
> caused no problem due to the U-Boot memory layout.
>
> Fix by using the correct size and perform the initial copy directly
> in bootstage_relocate() to have the whole relocation process in the
> same function.
Nice commit message.
Can you use 'bootstage' as the commit tag?
>
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> common/board_f.c | 6 ------
> common/bootstage.c | 7 ++++++-
> 2 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/common/board_f.c b/common/board_f.c
> index 039d6d712d..f4d87692b9 100644
> --- a/common/board_f.c
> +++ b/common/board_f.c
> @@ -683,12 +683,6 @@ static int reloc_bootstage(void)
> if (gd->flags & GD_FLG_SKIP_RELOC)
> return 0;
> if (gd->new_bootstage) {
> - int size = bootstage_get_size();
> -
> - debug("Copying bootstage from %p to %p, size %x\n",
> - gd->bootstage, gd->new_bootstage, size);
> - memcpy(gd->new_bootstage, gd->bootstage, size);
> - gd->bootstage = gd->new_bootstage;
> bootstage_relocate();
> }
> #endif
> diff --git a/common/bootstage.c b/common/bootstage.c
> index 0e6d80718f..aea5a318df 100644
> --- a/common/bootstage.c
> +++ b/common/bootstage.c
> @@ -58,10 +58,15 @@ struct bootstage_hdr {
>
> int bootstage_relocate(void)
> {
> - struct bootstage_data *data = gd->bootstage;
> + struct bootstage_data *data;
> int i;
> char *ptr;
>
> + debug("Copying bootstage from %p to %p\n", gd->bootstage,
> + gd->new_bootstage);
> + memcpy(gd->new_bootstage, gd->bootstage, sizeof(struct bootstage_data));
I would like to have the relocation addresses in board_f like with
other relocations, so it is easy to see what is happening, in one
file. So how about passing the old address to bootstage_relocate() so
it doesn't need to access gd->new_bootstage ?
> + data = gd->bootstage = gd->new_bootstage;
> +
> /* Figure out where to relocate the strings to */
> ptr = (char *)(data + 1);
>
> --
> 2.35.3
>
Regards,
Simon
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] reloc_bootstage: Fix out-of-bounds read
2024-07-13 15:13 ` Simon Glass
@ 2024-07-29 21:57 ` Richard Weinberger
2024-07-31 14:38 ` Simon Glass
0 siblings, 1 reply; 4+ messages in thread
From: Richard Weinberger @ 2024-07-29 21:57 UTC (permalink / raw)
To: Richard Weinberger, upstream
Cc: u-boot, patrick.delaunay, yangshiji66, raymond.mao, n-jain1,
eugeneuriev, ilias.apalodimas, devarsht, bmeng.cn, trini,
upstream+uboot, Simon Glass
Simon,
Am Samstag, 13. Juli 2024, 17:13:50 CEST schrieb Simon Glass:
> Can you use 'bootstage' as the commit tag?
Sure.
> > + debug("Copying bootstage from %p to %p\n", gd->bootstage,
> > + gd->new_bootstage);
> > + memcpy(gd->new_bootstage, gd->bootstage, sizeof(struct bootstage_data));
>
> I would like to have the relocation addresses in board_f like with
> other relocations, so it is easy to see what is happening, in one
> file. So how about passing the old address to bootstage_relocate() so
> it doesn't need to access gd->new_bootstage ?
You mean passing the *new* address?
Thanks,
//richard
--
sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
UID/VAT Nr: ATU 66964118 | FN: 374287y
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] reloc_bootstage: Fix out-of-bounds read
2024-07-29 21:57 ` Richard Weinberger
@ 2024-07-31 14:38 ` Simon Glass
0 siblings, 0 replies; 4+ messages in thread
From: Simon Glass @ 2024-07-31 14:38 UTC (permalink / raw)
To: Richard Weinberger
Cc: Richard Weinberger, upstream, u-boot, patrick.delaunay,
yangshiji66, raymond.mao, n-jain1, eugeneuriev, ilias.apalodimas,
devarsht, bmeng.cn, trini, upstream+uboot
Hi Richard,
On Mon, 29 Jul 2024 at 15:57, Richard Weinberger <richard@sigma-star.at> wrote:
>
> Simon,
>
> Am Samstag, 13. Juli 2024, 17:13:50 CEST schrieb Simon Glass:
> > Can you use 'bootstage' as the commit tag?
>
> Sure.
>
> > > + debug("Copying bootstage from %p to %p\n", gd->bootstage,
> > > + gd->new_bootstage);
> > > + memcpy(gd->new_bootstage, gd->bootstage, sizeof(struct bootstage_data));
> >
> > I would like to have the relocation addresses in board_f like with
> > other relocations, so it is easy to see what is happening, in one
> > file. So how about passing the old address to bootstage_relocate() so
> > it doesn't need to access gd->new_bootstage ?
>
> You mean passing the *new* address?
Yes, sorry.
REgards,
Simon
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-07-31 14:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-12 8:11 [PATCH] reloc_bootstage: Fix out-of-bounds read Richard Weinberger
2024-07-13 15:13 ` Simon Glass
2024-07-29 21:57 ` Richard Weinberger
2024-07-31 14:38 ` Simon Glass
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.