Re: [PATCH] fastboot: Fix overflow when calculating chunk size

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Tom Rini <trini@konsulko.com>
To: Sean Anderson <sean.anderson@seco.com>
Cc: u-boot@lists.denx.de, Lukasz Majewski <lukma@denx.de>,
	Gary Bisson <gary.bisson@boundarydevices.com>,
	Patrick Delaunay <patrick.delaunay@foss.st.com>,
	Roman Kovalivskyi <roman.kovalivskyi@globallogic.com>,
	Heiko Schocher <hs@denx.de>, Simon Glass <sjg@chromium.org>
Subject: Re: [PATCH] fastboot: Fix overflow when calculating chunk size
Date: Wed, 26 May 2021 17:25:58 -0400	[thread overview]
Message-ID: <20210526212558.GA23831@bill-the-cat> (raw)
In-Reply-To: <20210416215821.3575989-1-sean.anderson@seco.com>

[-- Attachment #1: Type: text/plain, Size: 3136 bytes --]

On Fri, Apr 16, 2021 at 05:58:21PM -0400, Sean Anderson wrote:

> If a chunk was larger than 4GiB, then chunk_data_sz would overflow and
> blkcnt would not be calculated correctly. Upgrade it to a u64 and cast
> its multiplicands as well. Also fix bytes_written while we're at it.
> 
> Signed-off-by: Sean Anderson <sean.anderson@seco.com>
> Reviewed-by: Heiko Schocher <hs@denx.de>
> ---
> 
>  lib/image-sparse.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/lib/image-sparse.c b/lib/image-sparse.c
> index 187ac28cd3..52c8dcc08c 100644
> --- a/lib/image-sparse.c
> +++ b/lib/image-sparse.c
> @@ -55,10 +55,10 @@ int write_sparse_image(struct sparse_storage *info,
>  	lbaint_t blk;
>  	lbaint_t blkcnt;
>  	lbaint_t blks;
> -	uint32_t bytes_written = 0;
> +	uint64_t bytes_written = 0;
>  	unsigned int chunk;
>  	unsigned int offset;
> -	unsigned int chunk_data_sz;
> +	uint64_t chunk_data_sz;
>  	uint32_t *fill_buf = NULL;
>  	uint32_t fill_val;
>  	sparse_header_t *sparse_header;
> @@ -132,7 +132,7 @@ int write_sparse_image(struct sparse_storage *info,
>  				 sizeof(chunk_header_t));
>  		}
>  
> -		chunk_data_sz = sparse_header->blk_sz * chunk_header->chunk_sz;
> +		chunk_data_sz = ((u64)sparse_header->blk_sz) * chunk_header->chunk_sz;
>  		blkcnt = chunk_data_sz / info->blksz;
>  		switch (chunk_header->chunk_type) {
>  		case CHUNK_TYPE_RAW:
> @@ -162,7 +162,7 @@ int write_sparse_image(struct sparse_storage *info,
>  				return -1;
>  			}
>  			blk += blks;
> -			bytes_written += blkcnt * info->blksz;
> +			bytes_written += ((u64)blkcnt) * info->blksz;
>  			total_blocks += chunk_header->chunk_sz;
>  			data += chunk_data_sz;
>  			break;
> @@ -222,7 +222,7 @@ int write_sparse_image(struct sparse_storage *info,
>  				blk += blks;
>  				i += j;
>  			}
> -			bytes_written += blkcnt * info->blksz;
> +			bytes_written += ((u64)blkcnt) * info->blksz;
>  			total_blocks += chunk_data_sz / sparse_header->blk_sz;
>  			free(fill_buf);
>  			break;
> @@ -253,7 +253,7 @@ int write_sparse_image(struct sparse_storage *info,
>  
>  	debug("Wrote %d blocks, expected to write %d blocks\n",
>  	      total_blocks, sparse_header->total_blks);
> -	printf("........ wrote %u bytes to '%s'\n", bytes_written, part_name);
> +	printf("........ wrote %llu bytes to '%s'\n", bytes_written, part_name);
>  
>  	if (total_blocks != sparse_header->total_blks) {
>  		info->mssg("sparse image write failure", response);

This results in things like:
            pico-dwarf-imx7d: all +506 bss +48 rodata +2 text +456
               u-boot: add: 1/0, grow: 1/0 bytes: 452/0 (452)
                 function                                   old     new   delta
                 __aeabi_uldivmod                             -     392    +392
                 write_sparse_image                         712     772     +60

Which I believe means that some of the division above needs to be
converted to use do_div().  Since I can't easily confirm the changes,
can you please check in to it?  Thanks.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

     prev parent reply	other threads:[~2021-05-26 21:26 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-16 21:58 [PATCH] fastboot: Fix overflow when calculating chunk size Sean Anderson
2021-04-19  4:31 ` Heiko Schocher
2021-04-19 14:13   ` Sean Anderson
2021-05-13 15:54 ` Sean Anderson
2021-05-25 15:45   ` Sean Anderson
2021-05-26  7:12     ` Lukasz Majewski
2021-05-26 21:25 ` Tom Rini [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210526212558.GA23831@bill-the-cat \
    --to=trini@konsulko.com \
    --cc=gary.bisson@boundarydevices.com \
    --cc=hs@denx.de \
    --cc=lukma@denx.de \
    --cc=patrick.delaunay@foss.st.com \
    --cc=roman.kovalivskyi@globallogic.com \
    --cc=sean.anderson@seco.com \
    --cc=sjg@chromium.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox