[PATCH v2] bootstage: Fix out-of-bounds read in reloc

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage()
@ 2024-07-31 16:07 Richard Weinberger
  2024-08-01 14:42 ` Simon Glass
  2024-08-16  3:47 ` Tom Rini
  0 siblings, 2 replies; 5+ messages in thread
From: Richard Weinberger @ 2024-07-31 16:07 UTC (permalink / raw)
  To: u-boot
  Cc: upstream+uboot, patrick.delaunay, marek.vasut+renesas,
	yangshiji66, xypron.glpk, eugeneuriev, raymond.mao, devarsht,
	bmeng.cn, sjg, trini, Richard Weinberger

bootstage_get_size() returns the total size of the data structure
including associated records.
When copying from gd->bootstage, only the allocation size of gd->bootstage
must be used. Otherwise too much memory is copied.

This bug caused no harm so far because gd->new_bootstage is always
large enough and reading beyond the allocation length of gd->bootstage
caused no problem due to the U-Boot memory layout.

Fix by using the correct size and perform the initial copy directly
in bootstage_relocate() to have the whole relocation process in the
same function.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
Changes since v1:
- Pass gd->new_bootstage to bootstage_relocate()
---
 common/board_f.c    | 8 +-------
 common/bootstage.c  | 8 ++++++--
 include/bootstage.h | 4 ++--
 3 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/common/board_f.c b/common/board_f.c
index 29e185137a..21a8944e2b 100644
--- a/common/board_f.c
+++ b/common/board_f.c
@@ -683,13 +683,7 @@ static int reloc_bootstage(void)
 	if (gd->flags & GD_FLG_SKIP_RELOC)
 		return 0;
 	if (gd->new_bootstage) {
-		int size = bootstage_get_size();
-
-		debug("Copying bootstage from %p to %p, size %x\n",
-		      gd->bootstage, gd->new_bootstage, size);
-		memcpy(gd->new_bootstage, gd->bootstage, size);
-		gd->bootstage = gd->new_bootstage;
-		bootstage_relocate();
+		bootstage_relocate(gd->new_bootstage);
 	}
 #endif
 
diff --git a/common/bootstage.c b/common/bootstage.c
index b6c268d9f4..49acc9078a 100644
--- a/common/bootstage.c
+++ b/common/bootstage.c
@@ -54,12 +54,16 @@ struct bootstage_hdr {
 	u32 next_id;		/* Next ID to use for bootstage */
 };
 
-int bootstage_relocate(void)
+int bootstage_relocate(void *to)
 {
-	struct bootstage_data *data = gd->bootstage;
+	struct bootstage_data *data;
 	int i;
 	char *ptr;
 
+	debug("Copying bootstage from %p to %p\n", gd->bootstage, to);
+	memcpy(to, gd->bootstage, sizeof(struct bootstage_data));
+	data = gd->bootstage = to;
+
 	/* Figure out where to relocate the strings to */
 	ptr = (char *)(data + 1);
 
diff --git a/include/bootstage.h b/include/bootstage.h
index f4e77b09d7..57792648c4 100644
--- a/include/bootstage.h
+++ b/include/bootstage.h
@@ -258,7 +258,7 @@ void show_boot_progress(int val);
  * relocation, since memory can be overwritten later.
  * Return: Always returns 0, to indicate success
  */
-int bootstage_relocate(void);
+int bootstage_relocate(void *to);
 
 /**
  * Add a new bootstage record
@@ -395,7 +395,7 @@ static inline ulong bootstage_add_record(enum bootstage_id id,
  * and won't even do that unless CONFIG_SHOW_BOOT_PROGRESS is defined
  */
 
-static inline int bootstage_relocate(void)
+static inline int bootstage_relocate(void *to)
 {
 	return 0;
 }
-- 
2.35.3


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage()
  2024-07-31 16:07 [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage() Richard Weinberger
@ 2024-08-01 14:42 ` Simon Glass
  2024-08-01 14:48   ` Richard Weinberger
  2024-08-16  3:47 ` Tom Rini
  1 sibling, 1 reply; 5+ messages in thread
From: Simon Glass @ 2024-08-01 14:42 UTC (permalink / raw)
  To: Richard Weinberger
  Cc: u-boot, upstream+uboot, patrick.delaunay, marek.vasut+renesas,
	yangshiji66, xypron.glpk, eugeneuriev, raymond.mao, devarsht,
	bmeng.cn, trini

Hi Richard,

On Wed, 31 Jul 2024 at 10:08, Richard Weinberger <richard@nod.at> wrote:
>
> bootstage_get_size() returns the total size of the data structure
> including associated records.
> When copying from gd->bootstage, only the allocation size of gd->bootstage
> must be used. Otherwise too much memory is copied.
>
> This bug caused no harm so far because gd->new_bootstage is always
> large enough and reading beyond the allocation length of gd->bootstage
> caused no problem due to the U-Boot memory layout.
>
> Fix by using the correct size and perform the initial copy directly
> in bootstage_relocate() to have the whole relocation process in the
> same function.
>
> Signed-off-by: Richard Weinberger <richard@nod.at>
> ---
> Changes since v1:
> - Pass gd->new_bootstage to bootstage_relocate()
> ---
>  common/board_f.c    | 8 +-------
>  common/bootstage.c  | 8 ++++++--
>  include/bootstage.h | 4 ++--
>  3 files changed, 9 insertions(+), 11 deletions(-)
>

Reviewed-by: Simon Glass <sjg@chromium.org>

nit below

> diff --git a/common/board_f.c b/common/board_f.c
> index 29e185137a..21a8944e2b 100644
> --- a/common/board_f.c
> +++ b/common/board_f.c
> @@ -683,13 +683,7 @@ static int reloc_bootstage(void)
>         if (gd->flags & GD_FLG_SKIP_RELOC)
>                 return 0;
>         if (gd->new_bootstage) {
> -               int size = bootstage_get_size();
> -
> -               debug("Copying bootstage from %p to %p, size %x\n",
> -                     gd->bootstage, gd->new_bootstage, size);
> -               memcpy(gd->new_bootstage, gd->bootstage, size);
> -               gd->bootstage = gd->new_bootstage;
> -               bootstage_relocate();
> +               bootstage_relocate(gd->new_bootstage);
>         }
>  #endif
>
> diff --git a/common/bootstage.c b/common/bootstage.c
> index b6c268d9f4..49acc9078a 100644
> --- a/common/bootstage.c
> +++ b/common/bootstage.c
> @@ -54,12 +54,16 @@ struct bootstage_hdr {
>         u32 next_id;            /* Next ID to use for bootstage */
>  };
>
> -int bootstage_relocate(void)
> +int bootstage_relocate(void *to)
>  {
> -       struct bootstage_data *data = gd->bootstage;
> +       struct bootstage_data *data;
>         int i;
>         char *ptr;
>
> +       debug("Copying bootstage from %p to %p\n", gd->bootstage, to);
> +       memcpy(to, gd->bootstage, sizeof(struct bootstage_data));
> +       data = gd->bootstage = to;

should be a separate line (patman/checkpatch complains)

> +
>         /* Figure out where to relocate the strings to */
>         ptr = (char *)(data + 1);
>
> diff --git a/include/bootstage.h b/include/bootstage.h
> index f4e77b09d7..57792648c4 100644
> --- a/include/bootstage.h
> +++ b/include/bootstage.h
> @@ -258,7 +258,7 @@ void show_boot_progress(int val);
>   * relocation, since memory can be overwritten later.
>   * Return: Always returns 0, to indicate success
>   */
> -int bootstage_relocate(void);
> +int bootstage_relocate(void *to);
>
>  /**
>   * Add a new bootstage record
> @@ -395,7 +395,7 @@ static inline ulong bootstage_add_record(enum bootstage_id id,
>   * and won't even do that unless CONFIG_SHOW_BOOT_PROGRESS is defined
>   */
>
> -static inline int bootstage_relocate(void)
> +static inline int bootstage_relocate(void *to)
>  {
>         return 0;
>  }
> --
> 2.35.3
>

Regards,
Simon

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage()
  2024-08-01 14:42 ` Simon Glass
@ 2024-08-01 14:48   ` Richard Weinberger
  2024-08-01 16:14     ` Simon Glass
  0 siblings, 1 reply; 5+ messages in thread
From: Richard Weinberger @ 2024-08-01 14:48 UTC (permalink / raw)
  To: Richard Weinberger, upstream
  Cc: u-boot, upstream+uboot, patrick.delaunay, marek.vasut+renesas,
	yangshiji66, xypron.glpk, eugeneuriev, raymond.mao, devarsht,
	bmeng.cn, trini, Simon Glass

Simon,

Am Donnerstag, 1. August 2024, 16:42:14 CEST schrieb Simon Glass:
> > +       debug("Copying bootstage from %p to %p\n", gd->bootstage, to);
> > +       memcpy(to, gd->bootstage, sizeof(struct bootstage_data));
> > +       data = gd->bootstage = to;
> 
> should be a separate line (patman/checkpatch complains)

I saw the suggestion of checkpatch.pl but ditched it as matter of taste.
Do you want a v3?

Thanks,
//richard

-- 
sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
UID/VAT Nr: ATU 66964118 | FN: 374287y



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage()
  2024-08-01 14:48   ` Richard Weinberger
@ 2024-08-01 16:14     ` Simon Glass
  0 siblings, 0 replies; 5+ messages in thread
From: Simon Glass @ 2024-08-01 16:14 UTC (permalink / raw)
  To: Richard Weinberger
  Cc: Richard Weinberger, upstream, u-boot, upstream+uboot,
	patrick.delaunay, marek.vasut+renesas, yangshiji66, xypron.glpk,
	eugeneuriev, raymond.mao, devarsht, bmeng.cn, trini

Hi Richard,

On Thu, 1 Aug 2024 at 08:48, Richard Weinberger <richard@sigma-star.at> wrote:
>
> Simon,
>
> Am Donnerstag, 1. August 2024, 16:42:14 CEST schrieb Simon Glass:
> > > +       debug("Copying bootstage from %p to %p\n", gd->bootstage, to);
> > > +       memcpy(to, gd->bootstage, sizeof(struct bootstage_data));
> > > +       data = gd->bootstage = to;
> >
> > should be a separate line (patman/checkpatch complains)
>
> I saw the suggestion of checkpatch.pl but ditched it as matter of taste.
> Do you want a v3?

It's OK I suppose. I used to hate that checkpatch.pl rule too, but
have come to get used to it...it avoids hiding the gd-> assignment
that my eye is looking for :-)

Regards,
Simon


>
> Thanks,
> //richard
>
> --
> sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT
> UID/VAT Nr: ATU 66964118 | FN: 374287y
>
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage()
  2024-07-31 16:07 [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage() Richard Weinberger
  2024-08-01 14:42 ` Simon Glass
@ 2024-08-16  3:47 ` Tom Rini
  1 sibling, 0 replies; 5+ messages in thread
From: Tom Rini @ 2024-08-16  3:47 UTC (permalink / raw)
  To: u-boot, Richard Weinberger
  Cc: upstream+uboot, patrick.delaunay, marek.vasut+renesas,
	yangshiji66, xypron.glpk, eugeneuriev, raymond.mao, devarsht,
	bmeng.cn, sjg

On Wed, 31 Jul 2024 18:07:54 +0200, Richard Weinberger wrote:

> bootstage_get_size() returns the total size of the data structure
> including associated records.
> When copying from gd->bootstage, only the allocation size of gd->bootstage
> must be used. Otherwise too much memory is copied.
> 
> This bug caused no harm so far because gd->new_bootstage is always
> large enough and reading beyond the allocation length of gd->bootstage
> caused no problem due to the U-Boot memory layout.
> 
> [...]

Applied to u-boot/next, thanks!

-- 
Tom



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-08-16  3:47 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-31 16:07 [PATCH v2] bootstage: Fix out-of-bounds read in reloc_bootstage() Richard Weinberger
2024-08-01 14:42 ` Simon Glass
2024-08-01 14:48   ` Richard Weinberger
2024-08-01 16:14     ` Simon Glass
2024-08-16  3:47 ` Tom Rini

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.