* [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage()
@ 2024-07-31 16:07 Richard Weinberger
2024-08-01 14:42 ` Simon Glass
2024-08-16 3:47 ` Tom Rini
0 siblings, 2 replies; 5+ messages in thread
From: Richard Weinberger @ 2024-07-31 16:07 UTC (permalink / raw)
To: u-boot
Cc: upstream+uboot, patrick.delaunay, marek.vasut+renesas,
yangshiji66, xypron.glpk, eugeneuriev, raymond.mao, devarsht,
bmeng.cn, sjg, trini, Richard Weinberger
bootstage_get_size() returns the total size of the data structure
including associated records.
When copying from gd->bootstage, only the allocation size of gd->bootstage
must be used. Otherwise too much memory is copied.
This bug caused no harm so far because gd->new_bootstage is always
large enough and reading beyond the allocation length of gd->bootstage
caused no problem due to the U-Boot memory layout.
Fix by using the correct size and perform the initial copy directly
in bootstage_relocate() to have the whole relocation process in the
same function.
Signed-off-by: Richard Weinberger <richard@nod.at>
---
Changes since v1:
- Pass gd->new_bootstage to bootstage_relocate()
---
common/board_f.c | 8 +-------
common/bootstage.c | 8 ++++++--
include/bootstage.h | 4 ++--
3 files changed, 9 insertions(+), 11 deletions(-)
diff --git a/common/board_f.c b/common/board_f.c
index 29e185137a..21a8944e2b 100644
--- a/common/board_f.c
+++ b/common/board_f.c
@@ -683,13 +683,7 @@ static int reloc_bootstage(void)
if (gd->flags & GD_FLG_SKIP_RELOC)
return 0;
if (gd->new_bootstage) {
- int size = bootstage_get_size();
-
- debug("Copying bootstage from %p to %p, size %x\n",
- gd->bootstage, gd->new_bootstage, size);
- memcpy(gd->new_bootstage, gd->bootstage, size);
- gd->bootstage = gd->new_bootstage;
- bootstage_relocate();
+ bootstage_relocate(gd->new_bootstage);
}
#endif
diff --git a/common/bootstage.c b/common/bootstage.c
index b6c268d9f4..49acc9078a 100644
--- a/common/bootstage.c
+++ b/common/bootstage.c
@@ -54,12 +54,16 @@ struct bootstage_hdr {
u32 next_id; /* Next ID to use for bootstage */
};
-int bootstage_relocate(void)
+int bootstage_relocate(void *to)
{
- struct bootstage_data *data = gd->bootstage;
+ struct bootstage_data *data;
int i;
char *ptr;
+ debug("Copying bootstage from %p to %p\n", gd->bootstage, to);
+ memcpy(to, gd->bootstage, sizeof(struct bootstage_data));
+ data = gd->bootstage = to;
+
/* Figure out where to relocate the strings to */
ptr = (char *)(data + 1);
diff --git a/include/bootstage.h b/include/bootstage.h
index f4e77b09d7..57792648c4 100644
--- a/include/bootstage.h
+++ b/include/bootstage.h
@@ -258,7 +258,7 @@ void show_boot_progress(int val);
* relocation, since memory can be overwritten later.
* Return: Always returns 0, to indicate success
*/
-int bootstage_relocate(void);
+int bootstage_relocate(void *to);
/**
* Add a new bootstage record
@@ -395,7 +395,7 @@ static inline ulong bootstage_add_record(enum bootstage_id id,
* and won't even do that unless CONFIG_SHOW_BOOT_PROGRESS is defined
*/
-static inline int bootstage_relocate(void)
+static inline int bootstage_relocate(void *to)
{
return 0;
}
--
2.35.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage()
2024-07-31 16:07 [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage() Richard Weinberger
@ 2024-08-01 14:42 ` Simon Glass
2024-08-01 14:48 ` Richard Weinberger
2024-08-16 3:47 ` Tom Rini
1 sibling, 1 reply; 5+ messages in thread
From: Simon Glass @ 2024-08-01 14:42 UTC (permalink / raw)
To: Richard Weinberger
Cc: u-boot, upstream+uboot, patrick.delaunay, marek.vasut+renesas,
yangshiji66, xypron.glpk, eugeneuriev, raymond.mao, devarsht,
bmeng.cn, trini
Hi Richard,
On Wed, 31 Jul 2024 at 10:08, Richard Weinberger <richard@nod.at> wrote:
>
> bootstage_get_size() returns the total size of the data structure
> including associated records.
> When copying from gd->bootstage, only the allocation size of gd->bootstage
> must be used. Otherwise too much memory is copied.
>
> This bug caused no harm so far because gd->new_bootstage is always
> large enough and reading beyond the allocation length of gd->bootstage
> caused no problem due to the U-Boot memory layout.
>
> Fix by using the correct size and perform the initial copy directly
> in bootstage_relocate() to have the whole relocation process in the
> same function.
>
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> Changes since v1:
> - Pass gd->new_bootstage to bootstage_relocate()
> ---
> common/board_f.c | 8 +-------
> common/bootstage.c | 8 ++++++--
> include/bootstage.h | 4 ++--
> 3 files changed, 9 insertions(+), 11 deletions(-)
>
Reviewed-by: Simon Glass <sjg@chromium.org>
nit below
> diff --git a/common/board_f.c b/common/board_f.c
> index 29e185137a..21a8944e2b 100644
> --- a/common/board_f.c
> +++ b/common/board_f.c
> @@ -683,13 +683,7 @@ static int reloc_bootstage(void)
> if (gd->flags & GD_FLG_SKIP_RELOC)
> return 0;
> if (gd->new_bootstage) {
> - int size = bootstage_get_size();
> -
> - debug("Copying bootstage from %p to %p, size %x\n",
> - gd->bootstage, gd->new_bootstage, size);
> - memcpy(gd->new_bootstage, gd->bootstage, size);
> - gd->bootstage = gd->new_bootstage;
> - bootstage_relocate();
> + bootstage_relocate(gd->new_bootstage);
> }
> #endif
>
> diff --git a/common/bootstage.c b/common/bootstage.c
> index b6c268d9f4..49acc9078a 100644
> --- a/common/bootstage.c
> +++ b/common/bootstage.c
> @@ -54,12 +54,16 @@ struct bootstage_hdr {
> u32 next_id; /* Next ID to use for bootstage */
> };
>
> -int bootstage_relocate(void)
> +int bootstage_relocate(void *to)
> {
> - struct bootstage_data *data = gd->bootstage;
> + struct bootstage_data *data;
> int i;
> char *ptr;
>
> + debug("Copying bootstage from %p to %p\n", gd->bootstage, to);
> + memcpy(to, gd->bootstage, sizeof(struct bootstage_data));
> + data = gd->bootstage = to;
should be a separate line (patman/checkpatch complains)
> +
> /* Figure out where to relocate the strings to */
> ptr = (char *)(data + 1);
>
> diff --git a/include/bootstage.h b/include/bootstage.h
> index f4e77b09d7..57792648c4 100644
> --- a/include/bootstage.h
> +++ b/include/bootstage.h
> @@ -258,7 +258,7 @@ void show_boot_progress(int val);
> * relocation, since memory can be overwritten later.
> * Return: Always returns 0, to indicate success
> */
> -int bootstage_relocate(void);
> +int bootstage_relocate(void *to);
>
> /**
> * Add a new bootstage record
> @@ -395,7 +395,7 @@ static inline ulong bootstage_add_record(enum bootstage_id id,
> * and won't even do that unless CONFIG_SHOW_BOOT_PROGRESS is defined
> */
>
> -static inline int bootstage_relocate(void)
> +static inline int bootstage_relocate(void *to)
> {
> return 0;
> }
> --
> 2.35.3
>
Regards,
Simon
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage()
2024-08-01 14:42 ` Simon Glass
@ 2024-08-01 14:48 ` Richard Weinberger
2024-08-01 16:14 ` Simon Glass
0 siblings, 1 reply; 5+ messages in thread
From: Richard Weinberger @ 2024-08-01 14:48 UTC (permalink / raw)
To: Richard Weinberger, upstream
Cc: u-boot, upstream+uboot, patrick.delaunay, marek.vasut+renesas,
yangshiji66, xypron.glpk, eugeneuriev, raymond.mao, devarsht,
bmeng.cn, trini, Simon Glass
Simon,
Am Donnerstag, 1. August 2024, 16:42:14 CEST schrieb Simon Glass:
> > + debug("Copying bootstage from %p to %p\n", gd->bootstage, to);
> > + memcpy(to, gd->bootstage, sizeof(struct bootstage_data));
> > + data = gd->bootstage = to;
>
> should be a separate line (patman/checkpatch complains)
I saw the suggestion of checkpatch.pl but ditched it as matter of taste.
Do you want a v3?
Thanks,
//richard
--
sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
UID/VAT Nr: ATU 66964118 | FN: 374287y
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage()
2024-08-01 14:48 ` Richard Weinberger
@ 2024-08-01 16:14 ` Simon Glass
0 siblings, 0 replies; 5+ messages in thread
From: Simon Glass @ 2024-08-01 16:14 UTC (permalink / raw)
To: Richard Weinberger
Cc: Richard Weinberger, upstream, u-boot, upstream+uboot,
patrick.delaunay, marek.vasut+renesas, yangshiji66, xypron.glpk,
eugeneuriev, raymond.mao, devarsht, bmeng.cn, trini
Hi Richard,
On Thu, 1 Aug 2024 at 08:48, Richard Weinberger <richard@sigma-star.at> wrote:
>
> Simon,
>
> Am Donnerstag, 1. August 2024, 16:42:14 CEST schrieb Simon Glass:
> > > + debug("Copying bootstage from %p to %p\n", gd->bootstage, to);
> > > + memcpy(to, gd->bootstage, sizeof(struct bootstage_data));
> > > + data = gd->bootstage = to;
> >
> > should be a separate line (patman/checkpatch complains)
>
> I saw the suggestion of checkpatch.pl but ditched it as matter of taste.
> Do you want a v3?
It's OK I suppose. I used to hate that checkpatch.pl rule too, but
have come to get used to it...it avoids hiding the gd-> assignment
that my eye is looking for :-)
Regards,
Simon
>
> Thanks,
> //richard
>
> --
> sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
> UID/VAT Nr: ATU 66964118 | FN: 374287y
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage()
2024-07-31 16:07 [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage() Richard Weinberger
2024-08-01 14:42 ` Simon Glass
@ 2024-08-16 3:47 ` Tom Rini
1 sibling, 0 replies; 5+ messages in thread
From: Tom Rini @ 2024-08-16 3:47 UTC (permalink / raw)
To: u-boot, Richard Weinberger
Cc: upstream+uboot, patrick.delaunay, marek.vasut+renesas,
yangshiji66, xypron.glpk, eugeneuriev, raymond.mao, devarsht,
bmeng.cn, sjg
On Wed, 31 Jul 2024 18:07:54 +0200, Richard Weinberger wrote:
> bootstage_get_size() returns the total size of the data structure
> including associated records.
> When copying from gd->bootstage, only the allocation size of gd->bootstage
> must be used. Otherwise too much memory is copied.
>
> This bug caused no harm so far because gd->new_bootstage is always
> large enough and reading beyond the allocation length of gd->bootstage
> caused no problem due to the U-Boot memory layout.
>
> [...]
Applied to u-boot/next, thanks!
--
Tom
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-08-16 3:47 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-31 16:07 [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage() Richard Weinberger
2024-08-01 14:42 ` Simon Glass
2024-08-01 14:48 ` Richard Weinberger
2024-08-01 16:14 ` Simon Glass
2024-08-16 3:47 ` Tom Rini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.