[cbootimage PATCH] tN: if_bct_is_tN_get_soc_config: Adds bounds checking to the BCT buffer.

linux-tegra.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [cbootimage PATCH] tN: if_bct_is_tN_get_soc_config: Adds bounds checking to the BCT buffer.
@ 2015-07-05  0:03 Giancarlo Canales
       [not found] ` <8A8A7455-57BF-4F37-B70B-B1A8F2E16326-BUHhN+a2lJ4@public.gmane.org>
  0 siblings, 1 reply; 3+ messages in thread
From: Giancarlo Canales @ 2015-07-05  0:03 UTC (permalink / raw)
  To: linux-tegra-u79uwXL29TY76Z2rM5mHXA

[-- Attachment #1: Type: text/plain, Size: 3444 bytes --]

Checks if the BCT buffer is too small to be a valid `nvboot_config_table`.

Signed-off-by: Giancarlo Canales Barreto <gcanalesb-BUHhN+a2lJ4@public.gmane.org>
---
 src/t114/nvbctlib_t114.c | 3 +++
 src/t124/nvbctlib_t124.c | 3 +++
 src/t132/nvbctlib_t132.c | 3 +++
 src/t20/nvbctlib_t20.c   | 3 +++
 src/t210/nvbctlib_t210.c | 3 +++
 src/t30/nvbctlib_t30.c   | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/src/t114/nvbctlib_t114.c b/src/t114/nvbctlib_t114.c
index dad8f4f..df68369 100644
--- a/src/t114/nvbctlib_t114.c
+++ b/src/t114/nvbctlib_t114.c
@@ -1139,6 +1139,9 @@ int if_bct_is_t114_get_soc_config(build_image_context *context,
 {
 	nvboot_config_table * bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
 	if (bct->boot_data_version == BOOTDATA_VERSION_T114)
 	{
 		t114_get_soc_config(context, soc_config);
diff --git a/src/t124/nvbctlib_t124.c b/src/t124/nvbctlib_t124.c
index 5df93cd..1f6dc05 100644
--- a/src/t124/nvbctlib_t124.c
+++ b/src/t124/nvbctlib_t124.c
@@ -1152,6 +1152,9 @@ int if_bct_is_t124_get_soc_config(build_image_context *context,
 {
 	nvboot_config_table *bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
 	if (bct->boot_data_version == BOOTDATA_VERSION_T124) {
 		t124_get_soc_config(context, soc_config);
 		return 1;
diff --git a/src/t132/nvbctlib_t132.c b/src/t132/nvbctlib_t132.c
index ab5ab34..4e5d31a 100644
--- a/src/t132/nvbctlib_t132.c
+++ b/src/t132/nvbctlib_t132.c
@@ -1233,6 +1233,9 @@ int if_bct_is_t132_get_soc_config(build_image_context *context,
 {
 	nvboot_config_table *bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
 	if (bct->boot_data_version == BOOTDATA_VERSION_T132) {
 		t132_get_soc_config(context, soc_config);
 		return 1;
diff --git a/src/t20/nvbctlib_t20.c b/src/t20/nvbctlib_t20.c
index 4e07bf2..813806f 100644
--- a/src/t20/nvbctlib_t20.c
+++ b/src/t20/nvbctlib_t20.c
@@ -719,6 +719,9 @@ int if_bct_is_t20_get_soc_config(build_image_context *context,
 	cbootimage_soc_config **soc_config)
 {
 	nvboot_config_table * bct = (nvboot_config_table *) context->bct;
+
+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;

 	if (bct->boot_data_version == BOOTDATA_VERSION_T20)
 	{
diff --git a/src/t210/nvbctlib_t210.c b/src/t210/nvbctlib_t210.c
index 9921bbb..46da441 100644
--- a/src/t210/nvbctlib_t210.c
+++ b/src/t210/nvbctlib_t210.c
@@ -2306,6 +2306,9 @@ int if_bct_is_t210_get_soc_config(build_image_context *context,
 {
 	nvboot_config_table *bct = (nvboot_config_table*) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
 	if (bct->boot_data_version == BOOTDATA_VERSION_T210) {
 		t210_get_soc_config(context, soc_config);
 		return 1;
diff --git a/src/t30/nvbctlib_t30.c b/src/t30/nvbctlib_t30.c
index df3bef0..3590c89 100644
--- a/src/t30/nvbctlib_t30.c
+++ b/src/t30/nvbctlib_t30.c
@@ -927,6 +927,9 @@ int if_bct_is_t30_get_soc_config(build_image_context *context,
 {
 	nvboot_config_table * bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
 	if (bct->boot_data_version == BOOTDATA_VERSION_T30)
 	{
 		t30_get_soc_config(context, soc_config);
--
2.1.4



[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 842 bytes --]

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [cbootimage PATCH] tN: if_bct_is_tN_get_soc_config: Adds bounds checking to the BCT buffer.
@ 2015-07-05  0:35 Giancarlo Canales
  0 siblings, 0 replies; 3+ messages in thread
From: Giancarlo Canales @ 2015-07-05  0:35 UTC (permalink / raw)
  To: linux-tegra-u79uwXL29TY76Z2rM5mHXA

Checks if the BCT buffer is too small to be a valid `nvboot_config_table`.

Signed-off-by: Giancarlo Canales Barreto <gcanalesb-BUHhN+a2lJ4@public.gmane.org>
---
src/t114/nvbctlib_t114.c | 3 +++
src/t124/nvbctlib_t124.c | 3 +++
src/t132/nvbctlib_t132.c | 3 +++
src/t20/nvbctlib_t20.c   | 3 +++
src/t210/nvbctlib_t210.c | 3 +++
src/t30/nvbctlib_t30.c   | 3 +++
6 files changed, 18 insertions(+)

diff --git a/src/t114/nvbctlib_t114.c b/src/t114/nvbctlib_t114.c
index dad8f4f..df68369 100644
--- a/src/t114/nvbctlib_t114.c
+++ b/src/t114/nvbctlib_t114.c
@@ -1139,6 +1139,9 @@ int if_bct_is_t114_get_soc_config(build_image_context *context,
{
	nvboot_config_table * bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
	if (bct->boot_data_version == BOOTDATA_VERSION_T114)
	{
		t114_get_soc_config(context, soc_config);
diff --git a/src/t124/nvbctlib_t124.c b/src/t124/nvbctlib_t124.c
index 5df93cd..1f6dc05 100644
--- a/src/t124/nvbctlib_t124.c
+++ b/src/t124/nvbctlib_t124.c
@@ -1152,6 +1152,9 @@ int if_bct_is_t124_get_soc_config(build_image_context *context,
{
	nvboot_config_table *bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
	if (bct->boot_data_version == BOOTDATA_VERSION_T124) {
		t124_get_soc_config(context, soc_config);
		return 1;
diff --git a/src/t132/nvbctlib_t132.c b/src/t132/nvbctlib_t132.c
index ab5ab34..4e5d31a 100644
--- a/src/t132/nvbctlib_t132.c
+++ b/src/t132/nvbctlib_t132.c
@@ -1233,6 +1233,9 @@ int if_bct_is_t132_get_soc_config(build_image_context *context,
{
	nvboot_config_table *bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
	if (bct->boot_data_version == BOOTDATA_VERSION_T132) {
		t132_get_soc_config(context, soc_config);
		return 1;
diff --git a/src/t20/nvbctlib_t20.c b/src/t20/nvbctlib_t20.c
index 4e07bf2..813806f 100644
--- a/src/t20/nvbctlib_t20.c
+++ b/src/t20/nvbctlib_t20.c
@@ -719,6 +719,9 @@ int if_bct_is_t20_get_soc_config(build_image_context *context,
	cbootimage_soc_config **soc_config)
{
	nvboot_config_table * bct = (nvboot_config_table *) context->bct;
+
+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;

	if (bct->boot_data_version == BOOTDATA_VERSION_T20)
	{
diff --git a/src/t210/nvbctlib_t210.c b/src/t210/nvbctlib_t210.c
index 9921bbb..46da441 100644
--- a/src/t210/nvbctlib_t210.c
+++ b/src/t210/nvbctlib_t210.c
@@ -2306,6 +2306,9 @@ int if_bct_is_t210_get_soc_config(build_image_context *context,
{
	nvboot_config_table *bct = (nvboot_config_table*) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
	if (bct->boot_data_version == BOOTDATA_VERSION_T210) {
		t210_get_soc_config(context, soc_config);
		return 1;
diff --git a/src/t30/nvbctlib_t30.c b/src/t30/nvbctlib_t30.c
index df3bef0..3590c89 100644
--- a/src/t30/nvbctlib_t30.c
+++ b/src/t30/nvbctlib_t30.c
@@ -927,6 +927,9 @@ int if_bct_is_t30_get_soc_config(build_image_context *context,
{
	nvboot_config_table * bct = (nvboot_config_table *) context->bct;

+	if (context->bct_size < sizeof(nvboot_config_table))
+		return 0;
+
	if (bct->boot_data_version == BOOTDATA_VERSION_T30)
	{
		t30_get_soc_config(context, soc_config);

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [cbootimage PATCH] tN: if_bct_is_tN_get_soc_config: Adds bounds checking to the BCT buffer.
       [not found] ` <8A8A7455-57BF-4F37-B70B-B1A8F2E16326-BUHhN+a2lJ4@public.gmane.org>
@ 2015-07-08 20:47   ` Stephen Warren
  0 siblings, 0 replies; 3+ messages in thread
From: Stephen Warren @ 2015-07-08 20:47 UTC (permalink / raw)
  To: Giancarlo Canales; +Cc: linux-tegra-u79uwXL29TY76Z2rM5mHXA

On 07/04/2015 06:03 PM, Giancarlo Canales wrote:
> Checks if the BCT buffer is too small to be a valid `nvboot_config_table`.

Can you please explain what problem this solves and how to trigger it? 
That explanation should probably be in the commit message too.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-07-08 20:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-07-05  0:03 [cbootimage PATCH] tN: if_bct_is_tN_get_soc_config: Adds bounds checking to the BCT buffer Giancarlo Canales
     [not found] ` <8A8A7455-57BF-4F37-B70B-B1A8F2E16326-BUHhN+a2lJ4@public.gmane.org>
2015-07-08 20:47   ` Stephen Warren
  -- strict thread matches above, loose matches on Subject: below --
2015-07-05  0:35 Giancarlo Canales

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).