[U-Boot] [PATCH 3/6] gzip: correctly bounds-check output buffer

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Michal Simek <monstr@monstr.eu>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 3/6] gzip: correctly bounds-check output buffer
Date: Fri, 08 Nov 2013 13:04:10 +0100	[thread overview]
Message-ID: <527CD33A.4030409@monstr.eu> (raw)
In-Reply-To: <1376665157-31268-4-git-send-email-keescook@chromium.org>

Hi Kees,

On 08/16/2013 04:59 PM, Kees Cook wrote:
> The output buffer size must not be reset by the gzip decoder or there
> is a risk of overflowing memory during decompression.
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Acked-by: Simon Glass <sjg@chromium.org>
> ---
>  lib/gunzip.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/gunzip.c b/lib/gunzip.c
> index 9959781..35abfb3 100644
> --- a/lib/gunzip.c
> +++ b/lib/gunzip.c
> @@ -89,13 +89,13 @@ int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp,
>  	s.avail_out = dstlen;
>  	do {
>  		r = inflate(&s, Z_FINISH);
> -		if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) {
> +		if (stoponerr == 1 && r != Z_STREAM_END &&
> +		    (s.avail_out == 0 || r != Z_BUF_ERROR)) {
>  			printf("Error: inflate() returned %d\n", r);
>  			inflateEnd(&s);
>  			return -1;
>  		}
>  		s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst);
> -		s.avail_out = dstlen;
>  	} while (r == Z_BUF_ERROR);
>  	*lenp = s.next_out - (unsigned char *) dst;
>  	inflateEnd(&s);
> 

I have done u-boot upgrade to v2013.10 version and I see the problem with this patch
when I am trying to boot my zynq image.

After reverting this patch everything works as expected.

Here is the image I am using.
http://www.monstr.eu/20131108-image.ub

Below is the bootlog.

Do you have any idea what can be wrong?

Thanks,
Michal

U-Boot 2013.10 (Nov 08 2013 - 13:02:26)

Memory: ECC disabled
DRAM:  1 GiB
WARNING: Caches not enabled
MMC:   zynq_sdhci: 0
SF: Detected N25Q128A with page size 256 Bytes, erase size 4 KiB, total 16 MiB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   Gem.e000b000
U-BOOT for zynq-zc702

Gem.e000b000 Waiting for PHY auto negotiation to complete.... done
BOOTP broadcast 1
DHCP client bound to address 192.168.0.90
Hit any key to stop autoboot:  0
U-Boot-PetaLinux> run netboot
Gem.e000b000:7 is connected to Gem.e000b000.  Reconnecting to Gem.e000b000
Gem.e000b000 Waiting for PHY auto negotiation to complete.... done
Using Gem.e000b000 device
TFTP from server 192.168.0.100; our IP address is 192.168.0.90
Filename 'image.ub'.
Load address: 0x1000000
Loading: #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #######################################
	 2 MiB/s
done
Bytes transferred = 12964752 (c5d390 hex)
## Loading kernel from FIT Image at 01000000 ...
   Using 'conf at 1' configuration
   Trying 'kernel at 1' kernel subimage
     Description:  PetaLinux Kernel
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x010000f0
     Data Size:    12949283 Bytes = 12.3 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x10008000
     Entry Point:  0x10008000
     Hash algo:    crc32
     Hash value:   39564940
   Verifying Hash Integrity ... crc32+ OK
## Loading fdt from FIT Image at 01000000 ...
   Using 'conf at 1' configuration
   Trying 'fdt at 1' fdt subimage
     Description:  Flattened Device Tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x01c598f8
     Data Size:    14133 Bytes = 13.8 KiB
     Architecture: ARM
     Hash algo:    crc32
     Hash value:   be457cb0
     Hash algo:    sha1
     Hash value:   206ffdb413e297d4a143a47fa8598cee4527a63a
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x1c598f8
   Uncompressing Kernel Image ... Error: inflate() returned -5
GUNZIP: uncompress, out-of-mem or overwrite error - must RESET board to recover
resetting ...


-- 
Michal Simek, Ing. (M.Eng), OpenPGP -> KeyID: FE3D1F91
w: www.monstr.eu p: +42-0-721842854
Maintainer of Linux kernel - Microblaze cpu - http://www.monstr.eu/fdt/
Maintainer of Linux kernel - Xilinx Zynq ARM architecture
Microblaze U-BOOT custodian and responsible for u-boot arm zynq platform


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20131108/6b21f45d/attachment.pgp>

next prev parent reply	other threads:[~2013-11-08 12:04 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-16 14:59 [U-Boot] [PATCH v2 0/6] handle compression buffer overflows Kees Cook
2013-08-16 14:59 ` [U-Boot] [PATCH 1/6] sandbox: add compression tests Kees Cook
2013-08-19 17:11   ` Simon Glass
2013-08-16 14:59 ` [U-Boot] [PATCH 2/6] documentation: add more compression configs Kees Cook
2013-08-19 17:12   ` Simon Glass
2013-08-16 14:59 ` [U-Boot] [PATCH 3/6] gzip: correctly bounds-check output buffer Kees Cook
2013-11-08 12:04   ` Michal Simek [this message]
2013-11-08 15:21     ` Kees Cook
2013-11-08 15:40       ` Michal Simek
2013-11-08 15:50         ` Michal Simek
2013-08-16 14:59 ` [U-Boot] [PATCH 4/6] lzma: " Kees Cook
2013-08-16 14:59 ` [U-Boot] [PATCH 5/6] lzo: " Kees Cook
2013-08-16 14:59 ` [U-Boot] [PATCH 6/6] bootm: allow correct bounds-check of destination Kees Cook
2013-08-28 18:13 ` [U-Boot] [PATCH v2 0/6] handle compression buffer overflows Kees Cook
2013-08-28 23:27   ` Simon Glass
  -- strict thread matches above, loose matches on Subject: below --
2013-08-12 23:01 [U-Boot] [PATCH " Kees Cook
2013-08-12 23:02 ` [U-Boot] [PATCH 3/6] gzip: correctly bounds-check output buffer Kees Cook
2013-08-14 17:37   ` Simon Glass

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=527CD33A.4030409@monstr.eu \
    --to=monstr@monstr.eu \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox