[U-Boot] [PATCH 3/6] gzip: correctly bounds-check output buffer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michal Simek <monstr@monstr.eu>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 3/6] gzip: correctly bounds-check output buffer
Date: Fri, 08 Nov 2013 13:04:10 +0100	[thread overview]
Message-ID: <527CD33A.4030409@monstr.eu> (raw)
In-Reply-To: <1376665157-31268-4-git-send-email-keescook@chromium.org>

Hi Kees,

On 08/16/2013 04:59 PM, Kees Cook wrote:
> The output buffer size must not be reset by the gzip decoder or there
> is a risk of overflowing memory during decompression.
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Acked-by: Simon Glass <sjg@chromium.org>
> ---
>  lib/gunzip.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/gunzip.c b/lib/gunzip.c
> index 9959781..35abfb3 100644
> --- a/lib/gunzip.c
> +++ b/lib/gunzip.c
> @@ -89,13 +89,13 @@ int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp,
>  	s.avail_out = dstlen;
>  	do {
>  		r = inflate(&s, Z_FINISH);
> -		if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) {
> +		if (stoponerr == 1 && r != Z_STREAM_END &&
> +		    (s.avail_out == 0 || r != Z_BUF_ERROR)) {
>  			printf("Error: inflate() returned %d\n", r);
>  			inflateEnd(&s);
>  			return -1;
>  		}
>  		s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst);
> -		s.avail_out = dstlen;
>  	} while (r == Z_BUF_ERROR);
>  	*lenp = s.next_out - (unsigned char *) dst;
>  	inflateEnd(&s);
> 

I have done u-boot upgrade to v2013.10 version and I see the problem with this patch
when I am trying to boot my zynq image.

After reverting this patch everything works as expected.

Here is the image I am using.
http://www.monstr.eu/20131108-image.ub

Below is the bootlog.

Do you have any idea what can be wrong?

Thanks,
Michal

U-Boot 2013.10 (Nov 08 2013 - 13:02:26)

Memory: ECC disabled
DRAM:  1 GiB
WARNING: Caches not enabled
MMC:   zynq_sdhci: 0
SF: Detected N25Q128A with page size 256 Bytes, erase size 4 KiB, total 16 MiB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   Gem.e000b000
U-BOOT for zynq-zc702

Gem.e000b000 Waiting for PHY auto negotiation to complete.... done
BOOTP broadcast 1
DHCP client bound to address 192.168.0.90
Hit any key to stop autoboot:  0
U-Boot-PetaLinux> run netboot
Gem.e000b000:7 is connected to Gem.e000b000.  Reconnecting to Gem.e000b000
Gem.e000b000 Waiting for PHY auto negotiation to complete.... done
Using Gem.e000b000 device
TFTP from server 192.168.0.100; our IP address is 192.168.0.90
Filename 'image.ub'.
Load address: 0x1000000
Loading: #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #######################################
	 2 MiB/s
done
Bytes transferred = 12964752 (c5d390 hex)
## Loading kernel from FIT Image at 01000000 ...
   Using 'conf at 1' configuration
   Trying 'kernel at 1' kernel subimage
     Description:  PetaLinux Kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x010000f0
     Data Size:    12949283 Bytes = 12.3 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x10008000
     Entry Point:  0x10008000
     Hash algo:    crc32
     Hash value:   39564940
   Verifying Hash Integrity ... crc32+ OK
## Loading fdt from FIT Image at 01000000 ...
   Using 'conf at 1' configuration
   Trying 'fdt at 1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x01c598f8
     Data Size:    14133 Bytes = 13.8 KiB
     Architecture: ARM
     Hash algo:    crc32
     Hash value:   be457cb0
     Hash algo:    sha1
     Hash value:   206ffdb413e297d4a143a47fa8598cee4527a63a
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x1c598f8
   Uncompressing Kernel Image ... Error: inflate() returned -5
GUNZIP: uncompress, out-of-mem or overwrite error - must RESET board to recover
resetting ...


-- 
Michal Simek, Ing. (M.Eng), OpenPGP -> KeyID: FE3D1F91
w: www.monstr.eu p: +42-0-721842854
Maintainer of Linux kernel - Microblaze cpu - http://www.monstr.eu/fdt/
Maintainer of Linux kernel - Xilinx Zynq ARM architecture
Microblaze U-BOOT custodian and responsible for u-boot arm zynq platform


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20131108/6b21f45d/attachment.pgp>

next prev parent reply	other threads:[~2013-11-08 12:04 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-16 14:59 [U-Boot] [PATCH v2 0/6] handle compression buffer overflows Kees Cook
2013-08-16 14:59 ` [U-Boot] [PATCH 1/6] sandbox: add compression tests Kees Cook
2013-08-19 17:11   ` Simon Glass
2013-08-16 14:59 ` [U-Boot] [PATCH 2/6] documentation: add more compression configs Kees Cook
2013-08-19 17:12   ` Simon Glass
2013-08-16 14:59 ` [U-Boot] [PATCH 3/6] gzip: correctly bounds-check output buffer Kees Cook
2013-11-08 12:04   ` Michal Simek [this message]
2013-11-08 15:21     ` Kees Cook
2013-11-08 15:40       ` Michal Simek
2013-11-08 15:50         ` Michal Simek
2013-08-16 14:59 ` [U-Boot] [PATCH 4/6] lzma: " Kees Cook
2013-08-16 14:59 ` [U-Boot] [PATCH 5/6] lzo: " Kees Cook
2013-08-16 14:59 ` [U-Boot] [PATCH 6/6] bootm: allow correct bounds-check of destination Kees Cook
2013-08-28 18:13 ` [U-Boot] [PATCH v2 0/6] handle compression buffer overflows Kees Cook
2013-08-28 23:27   ` Simon Glass
  -- strict thread matches above, loose matches on Subject: below --
2013-08-12 23:01 [U-Boot] [PATCH " Kees Cook
2013-08-12 23:02 ` [U-Boot] [PATCH 3/6] gzip: correctly bounds-check output buffer Kees Cook
2013-08-14 17:37   ` Simon Glass

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=527CD33A.4030409@monstr.eu \
    --to=monstr@monstr.eu \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.