Re: [PATCH] bootstd: android: Fix write outside of memory

[Mattijs Korpershoek <mkorpershoek@kernel.org>]

On Tue, Jan 06, 2026 at 11:16, Tom Rini <trini@konsulko.com> wrote:

> On Tue, Dec 23, 2025 at 05:44:56PM -0600, Chris Morgan wrote:
>
>> From: Chris Morgan <macromorgan@hotmail.com>
>> 
>> It looks like under certain circumstances when reading the vendor_boot
>> partition it causes my device to write outside the range of memory
>> available. Near as I can tell this occurs because
>> scan_vendor_boot_part() calls android_image_get_vendor_bootimg_size()
>> which calls android_vendor_boot_image_v3_v4_parse_hdr() which calls
>> add_trailer() which attempts to copy information to a buffer allocated
>> with malloc in the scan_vendor_boot_part() function. On my board the
>> memory set aside for malloc is at the top of the system RAM, and given
>> a large enough vendor boot image size this causes the write from
>> add_trailer() to occur outside of the system RAM (nevermind outside
>> of what was allocated with the malloc().
>> 
>> While I don't know the absolute best way to handle this, I would assume
>> that if we simply map the memory we want to use to where we will
>> eventually load the vendor_boot image that would be the most logical.
>> 
>> Fixes: abadcda24b10 ("bootstd: android: don't read whole partition sizes")
>> Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
>> ---
>>  boot/bootmeth_android.c | 20 ++++++--------------
>>  1 file changed, 6 insertions(+), 14 deletions(-)
>> 
>> diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
>> index 1374551dbeb..c2c25d53ef3 100644
>> --- a/boot/bootmeth_android.c
>> +++ b/boot/bootmeth_android.c
>> @@ -118,9 +118,10 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
>>  	struct blk_desc *desc = dev_get_uclass_plat(blk);
>>  	struct disk_partition partition;
>>  	char partname[PART_NAME_LEN];
>> -	ulong num_blks, bufsz;
>> +	ulong num_blks;
>>  	char *buf;
>>  	int ret;
>> +	ulong vloadaddr = env_get_hex("vendor_boot_comp_addr_r", 0);
>>  
>>  	if (priv->slot)
>>  		sprintf(partname, VENDOR_BOOT_PART_NAME "_%s", priv->slot);
>> @@ -132,28 +133,19 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
>>  		return log_msg_ret("part info", ret);
>>  
>>  	num_blks = DIV_ROUND_UP(sizeof(struct andr_vnd_boot_img_hdr), desc->blksz);
>> -	bufsz = num_blks * desc->blksz;
>> -	buf = malloc(bufsz);
>> +	buf = map_sysmem(vloadaddr, 0);
>>  	if (!buf)
>>  		return log_msg_ret("buf", -ENOMEM);
>>  
>>  	ret = blk_read(blk, partition.start, num_blks, buf);
>> -	if (ret != num_blks) {
>> -		free(buf);
>> +	if (ret != num_blks)
>>  		return log_msg_ret("part read", -EIO);
>> -	}
>>  
>> -	if (!is_android_vendor_boot_image_header(buf)) {
>> -		free(buf);
>> +	if (!is_android_vendor_boot_image_header(buf))
>>  		return log_msg_ret("header", -ENOENT);
>> -	}
>>  
>> -	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size)) {
>> -		free(buf);
>> +	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size))
>>  		return log_msg_ret("get vendor bootimg size", -EINVAL);
>> -	}
>> -
>> -	free(buf);
>>  
>>  	return 0;
>>  }
>
> I haven't forgotten about this, but I'm hoping there's some other way to
> solve this, I'm not super keen on adding another environment variable
> (that would need to be documented in a v2 if we can't fix this some
> other way). Mattijs, do you have any ideas?

Sorry for the delay. I'm trying to catch up on my review queue after the
holiday break.
I hope to follow up here in the coming days.

>
> -- 
> Tom