The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [PATCH] mtd: parsers: redboot: reject unterminated FIS names
@ 2026-07-01  5:39 Pengpeng Hou
  2026-07-02 13:07 ` Miquel Raynal
  2026-07-03 13:49 ` Miquel Raynal
  0 siblings, 2 replies; 3+ messages in thread
From: Pengpeng Hou @ 2026-07-01  5:39 UTC (permalink / raw)
  To: Miquel Raynal, Richard Weinberger, Vignesh Raghavendra, Kees Cook,
	Finn Thain
  Cc: Pengpeng Hou, linux-mtd, linux-kernel

RedBoot FIS partition names are stored in a fixed 16-byte field that is
expected to be NUL-terminated. parse_redboot_partitions() used strlen()
to size the names area and later copied the same field with strcpy(), so
a malformed table entry without a terminator could make both operations
read beyond the descriptor.

Validate each accepted FIS name with strnlen() before adding it to the
partition list.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/mtd/parsers/redboot.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/mtd/parsers/redboot.c b/drivers/mtd/parsers/redboot.c
index bf162c44..120b2eab 100644
--- a/drivers/mtd/parsers/redboot.c
+++ b/drivers/mtd/parsers/redboot.c
@@ -192,6 +192,7 @@ nogood:
 
 	for (i = 0; i < numslots; i++) {
 		struct fis_list *new_fl, **prev;
+		size_t name_len;
 
 		if (buf[i].name[0] == 0xff) {
 			if (buf[i].name[1] == 0xff) {
@@ -203,8 +204,14 @@ nogood:
 		if (!redboot_checksum(&buf[i]))
 			break;
 
+		name_len = strnlen(buf[i].name, sizeof(buf[i].name));
+		if (name_len == sizeof(buf[i].name)) {
+			ret = -EINVAL;
+			goto out;
+		}
+
 		new_fl = kmalloc_obj(struct fis_list);
-		namelen += strlen(buf[i].name) + 1;
+		namelen += name_len + 1;
 		if (!new_fl) {
 			ret = -ENOMEM;
 			goto out;


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] mtd: parsers: redboot: reject unterminated FIS names
  2026-07-01  5:39 [PATCH] mtd: parsers: redboot: reject unterminated FIS names Pengpeng Hou
@ 2026-07-02 13:07 ` Miquel Raynal
  2026-07-03 13:49 ` Miquel Raynal
  1 sibling, 0 replies; 3+ messages in thread
From: Miquel Raynal @ 2026-07-02 13:07 UTC (permalink / raw)
  To: Pengpeng Hou
  Cc: Richard Weinberger, Vignesh Raghavendra, Kees Cook, Finn Thain,
	linux-mtd, linux-kernel

Hi Pengpeng,

On 01/07/2026 at 13:39:09 +08, Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:

> RedBoot FIS partition names are stored in a fixed 16-byte field that is
> expected to be NUL-terminated. parse_redboot_partitions() used strlen()
> to size the names area and later copied the same field with strcpy(), so
> a malformed table entry without a terminator could make both operations
> read beyond the descriptor.
>
> Validate each accepted FIS name with strnlen() before adding it to the
> partition list.
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>

Please add Fixes and Cc stable tags whenever you send a fix. The fixes
look correct and are correctly documented, but all of them miss
the tags.

Thanks,
Miquèl

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] mtd: parsers: redboot: reject unterminated FIS names
  2026-07-01  5:39 [PATCH] mtd: parsers: redboot: reject unterminated FIS names Pengpeng Hou
  2026-07-02 13:07 ` Miquel Raynal
@ 2026-07-03 13:49 ` Miquel Raynal
  1 sibling, 0 replies; 3+ messages in thread
From: Miquel Raynal @ 2026-07-03 13:49 UTC (permalink / raw)
  To: Richard Weinberger, Vignesh Raghavendra, Kees Cook, Finn Thain,
	Pengpeng Hou
  Cc: linux-mtd, linux-kernel

On Wed, 01 Jul 2026 13:39:09 +0800, Pengpeng Hou wrote:
> RedBoot FIS partition names are stored in a fixed 16-byte field that is
> expected to be NUL-terminated. parse_redboot_partitions() used strlen()
> to size the names area and later copied the same field with strcpy(), so
> a malformed table entry without a terminator could make both operations
> read beyond the descriptor.
> 
> Validate each accepted FIS name with strnlen() before adding it to the
> partition list.
> 
> [...]

Applied to nand/next, thanks!

[1/1] mtd: parsers: redboot: reject unterminated FIS names
      commit: adfc275b317c02cd043b0cf28b8cfb7459b041f0

Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).

Kind regards,
Miquèl


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-03 13:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01  5:39 [PATCH] mtd: parsers: redboot: reject unterminated FIS names Pengpeng Hou
2026-07-02 13:07 ` Miquel Raynal
2026-07-03 13:49 ` Miquel Raynal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox