[PATCH] bootstd: android: Fix write outside of memory

[Chris Morgan <macroalpha82@gmail.com>]

From: Chris Morgan <macromorgan@hotmail.com>

It looks like under certain circumstances when reading the vendor_boot
partition it causes my device to write outside the range of memory
available. Near as I can tell this occurs because
scan_vendor_boot_part() calls android_image_get_vendor_bootimg_size()
which calls android_vendor_boot_image_v3_v4_parse_hdr() which calls
add_trailer() which attempts to copy information to a buffer allocated
with malloc in the scan_vendor_boot_part() function. On my board the
memory set aside for malloc is at the top of the system RAM, and given
a large enough vendor boot image size this causes the write from
add_trailer() to occur outside of the system RAM (nevermind outside
of what was allocated with the malloc().

While I don't know the absolute best way to handle this, I would assume
that if we simply map the memory we want to use to where we will
eventually load the vendor_boot image that would be the most logical.

Fixes: abadcda24b10 ("bootstd: android: don't read whole partition sizes")
Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
---
 boot/bootmeth_android.c | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index 1374551dbeb..c2c25d53ef3 100644
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -118,9 +118,10 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
 	struct blk_desc *desc = dev_get_uclass_plat(blk);
 	struct disk_partition partition;
 	char partname[PART_NAME_LEN];
-	ulong num_blks, bufsz;
+	ulong num_blks;
 	char *buf;
 	int ret;
+	ulong vloadaddr = env_get_hex("vendor_boot_comp_addr_r", 0);
 
 	if (priv->slot)
 		sprintf(partname, VENDOR_BOOT_PART_NAME "_%s", priv->slot);
@@ -132,28 +133,19 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
 		return log_msg_ret("part info", ret);
 
 	num_blks = DIV_ROUND_UP(sizeof(struct andr_vnd_boot_img_hdr), desc->blksz);
-	bufsz = num_blks * desc->blksz;
-	buf = malloc(bufsz);
+	buf = map_sysmem(vloadaddr, 0);
 	if (!buf)
 		return log_msg_ret("buf", -ENOMEM);
 
 	ret = blk_read(blk, partition.start, num_blks, buf);
-	if (ret != num_blks) {
-		free(buf);
+	if (ret != num_blks)
 		return log_msg_ret("part read", -EIO);
-	}
 
-	if (!is_android_vendor_boot_image_header(buf)) {
-		free(buf);
+	if (!is_android_vendor_boot_image_header(buf))
 		return log_msg_ret("header", -ENOENT);
-	}
 
-	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size)) {
-		free(buf);
+	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size))
 		return log_msg_ret("get vendor bootimg size", -EINVAL);
-	}
-
-	free(buf);
 
 	return 0;
 }
-- 
2.43.0