From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michal Simek Date: Fri, 08 Nov 2013 13:04:10 +0100 Subject: [U-Boot] [PATCH 3/6] gzip: correctly bounds-check output buffer In-Reply-To: <1376665157-31268-4-git-send-email-keescook@chromium.org> References: <1376665157-31268-1-git-send-email-keescook@chromium.org> <1376665157-31268-4-git-send-email-keescook@chromium.org> Message-ID: <527CD33A.4030409@monstr.eu> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Kees, On 08/16/2013 04:59 PM, Kees Cook wrote: > The output buffer size must not be reset by the gzip decoder or there > is a risk of overflowing memory during decompression. > > Signed-off-by: Kees Cook > Acked-by: Simon Glass > --- > lib/gunzip.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lib/gunzip.c b/lib/gunzip.c > index 9959781..35abfb3 100644 > --- a/lib/gunzip.c > +++ b/lib/gunzip.c > @@ -89,13 +89,13 @@ int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp, > s.avail_out = dstlen; > do { > r = inflate(&s, Z_FINISH); > - if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) { > + if (stoponerr == 1 && r != Z_STREAM_END && > + (s.avail_out == 0 || r != Z_BUF_ERROR)) { > printf("Error: inflate() returned %d\n", r); > inflateEnd(&s); > return -1; > } > s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst); > - s.avail_out = dstlen; > } while (r == Z_BUF_ERROR); > *lenp = s.next_out - (unsigned char *) dst; > inflateEnd(&s); > I have done u-boot upgrade to v2013.10 version and I see the problem with this patch when I am trying to boot my zynq image. After reverting this patch everything works as expected. Here is the image I am using. http://www.monstr.eu/20131108-image.ub Below is the bootlog. Do you have any idea what can be wrong? Thanks, Michal U-Boot 2013.10 (Nov 08 2013 - 13:02:26) Memory: ECC disabled DRAM: 1 GiB WARNING: Caches not enabled MMC: zynq_sdhci: 0 SF: Detected N25Q128A with page size 256 Bytes, erase size 4 KiB, total 16 MiB *** Warning - bad CRC, using default environment In: serial Out: serial Err: serial Net: Gem.e000b000 U-BOOT for zynq-zc702 Gem.e000b000 Waiting for PHY auto negotiation to complete.... done BOOTP broadcast 1 DHCP client bound to address 192.168.0.90 Hit any key to stop autoboot: 0 U-Boot-PetaLinux> run netboot Gem.e000b000:7 is connected to Gem.e000b000. Reconnecting to Gem.e000b000 Gem.e000b000 Waiting for PHY auto negotiation to complete.... done Using Gem.e000b000 device TFTP from server 192.168.0.100; our IP address is 192.168.0.90 Filename 'image.ub'. Load address: 0x1000000 Loading: ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ####################################### 2 MiB/s done Bytes transferred = 12964752 (c5d390 hex) ## Loading kernel from FIT Image at 01000000 ... Using 'conf at 1' configuration Trying 'kernel at 1' kernel subimage Description: PetaLinux Kernel Type: Kernel Image Compression: gzip compressed Data Start: 0x010000f0 Data Size: 12949283 Bytes = 12.3 MiB Architecture: ARM OS: Linux Load Address: 0x10008000 Entry Point: 0x10008000 Hash algo: crc32 Hash value: 39564940 Verifying Hash Integrity ... crc32+ OK ## Loading fdt from FIT Image at 01000000 ... Using 'conf at 1' configuration Trying 'fdt at 1' fdt subimage Description: Flattened Device Tree blob Type: Flat Device Tree Compression: uncompressed Data Start: 0x01c598f8 Data Size: 14133 Bytes = 13.8 KiB Architecture: ARM Hash algo: crc32 Hash value: be457cb0 Hash algo: sha1 Hash value: 206ffdb413e297d4a143a47fa8598cee4527a63a Verifying Hash Integrity ... crc32+ sha1+ OK Booting using the fdt blob at 0x1c598f8 Uncompressing Kernel Image ... Error: inflate() returned -5 GUNZIP: uncompress, out-of-mem or overwrite error - must RESET board to recover resetting ... -- Michal Simek, Ing. (M.Eng), OpenPGP -> KeyID: FE3D1F91 w: www.monstr.eu p: +42-0-721842854 Maintainer of Linux kernel - Microblaze cpu - http://www.monstr.eu/fdt/ Maintainer of Linux kernel - Xilinx Zynq ARM architecture Microblaze U-BOOT custodian and responsible for u-boot arm zynq platform -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 263 bytes Desc: OpenPGP digital signature URL: