* [PATCH] mtd: parsers: redboot: reject unterminated FIS names
@ 2026-07-01 5:39 Pengpeng Hou
2026-07-02 13:07 ` Miquel Raynal
2026-07-03 13:49 ` Miquel Raynal
0 siblings, 2 replies; 3+ messages in thread
From: Pengpeng Hou @ 2026-07-01 5:39 UTC (permalink / raw)
To: Miquel Raynal, Richard Weinberger, Vignesh Raghavendra, Kees Cook,
Finn Thain
Cc: Pengpeng Hou, linux-mtd, linux-kernel
RedBoot FIS partition names are stored in a fixed 16-byte field that is
expected to be NUL-terminated. parse_redboot_partitions() used strlen()
to size the names area and later copied the same field with strcpy(), so
a malformed table entry without a terminator could make both operations
read beyond the descriptor.
Validate each accepted FIS name with strnlen() before adding it to the
partition list.
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
drivers/mtd/parsers/redboot.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/parsers/redboot.c b/drivers/mtd/parsers/redboot.c
index bf162c44..120b2eab 100644
--- a/drivers/mtd/parsers/redboot.c
+++ b/drivers/mtd/parsers/redboot.c
@@ -192,6 +192,7 @@ nogood:
for (i = 0; i < numslots; i++) {
struct fis_list *new_fl, **prev;
+ size_t name_len;
if (buf[i].name[0] == 0xff) {
if (buf[i].name[1] == 0xff) {
@@ -203,8 +204,14 @@ nogood:
if (!redboot_checksum(&buf[i]))
break;
+ name_len = strnlen(buf[i].name, sizeof(buf[i].name));
+ if (name_len == sizeof(buf[i].name)) {
+ ret = -EINVAL;
+ goto out;
+ }
+
new_fl = kmalloc_obj(struct fis_list);
- namelen += strlen(buf[i].name) + 1;
+ namelen += name_len + 1;
if (!new_fl) {
ret = -ENOMEM;
goto out;
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] mtd: parsers: redboot: reject unterminated FIS names
2026-07-01 5:39 [PATCH] mtd: parsers: redboot: reject unterminated FIS names Pengpeng Hou
@ 2026-07-02 13:07 ` Miquel Raynal
2026-07-03 13:49 ` Miquel Raynal
1 sibling, 0 replies; 3+ messages in thread
From: Miquel Raynal @ 2026-07-02 13:07 UTC (permalink / raw)
To: Pengpeng Hou
Cc: Richard Weinberger, Vignesh Raghavendra, Kees Cook, Finn Thain,
linux-mtd, linux-kernel
Hi Pengpeng,
On 01/07/2026 at 13:39:09 +08, Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:
> RedBoot FIS partition names are stored in a fixed 16-byte field that is
> expected to be NUL-terminated. parse_redboot_partitions() used strlen()
> to size the names area and later copied the same field with strcpy(), so
> a malformed table entry without a terminator could make both operations
> read beyond the descriptor.
>
> Validate each accepted FIS name with strnlen() before adding it to the
> partition list.
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Please add Fixes and Cc stable tags whenever you send a fix. The fixes
look correct and are correctly documented, but all of them miss
the tags.
Thanks,
Miquèl
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] mtd: parsers: redboot: reject unterminated FIS names
2026-07-01 5:39 [PATCH] mtd: parsers: redboot: reject unterminated FIS names Pengpeng Hou
2026-07-02 13:07 ` Miquel Raynal
@ 2026-07-03 13:49 ` Miquel Raynal
1 sibling, 0 replies; 3+ messages in thread
From: Miquel Raynal @ 2026-07-03 13:49 UTC (permalink / raw)
To: Richard Weinberger, Vignesh Raghavendra, Kees Cook, Finn Thain,
Pengpeng Hou
Cc: linux-mtd, linux-kernel
On Wed, 01 Jul 2026 13:39:09 +0800, Pengpeng Hou wrote:
> RedBoot FIS partition names are stored in a fixed 16-byte field that is
> expected to be NUL-terminated. parse_redboot_partitions() used strlen()
> to size the names area and later copied the same field with strcpy(), so
> a malformed table entry without a terminator could make both operations
> read beyond the descriptor.
>
> Validate each accepted FIS name with strnlen() before adding it to the
> partition list.
>
> [...]
Applied to nand/next, thanks!
[1/1] mtd: parsers: redboot: reject unterminated FIS names
commit: adfc275b317c02cd043b0cf28b8cfb7459b041f0
Patche(s) should be available on mtd/linux.git and will be
part of the next PR (provided that no robot complains by then).
Kind regards,
Miquèl
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-07-03 13:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01 5:39 [PATCH] mtd: parsers: redboot: reject unterminated FIS names Pengpeng Hou
2026-07-02 13:07 ` Miquel Raynal
2026-07-03 13:49 ` Miquel Raynal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox