[PATCH] bootstd: android: Fix write outside of memory

[PATCH] bootstd: android: Fix write outside of memory

[Chris Morgan]

From: Chris Morgan <macromorgan@hotmail.com>

It looks like under certain circumstances when reading the vendor_boot
partition it causes my device to write outside the range of memory
available. Near as I can tell this occurs because
scan_vendor_boot_part() calls android_image_get_vendor_bootimg_size()
which calls android_vendor_boot_image_v3_v4_parse_hdr() which calls
add_trailer() which attempts to copy information to a buffer allocated
with malloc in the scan_vendor_boot_part() function. On my board the
memory set aside for malloc is at the top of the system RAM, and given
a large enough vendor boot image size this causes the write from
add_trailer() to occur outside of the system RAM (nevermind outside
of what was allocated with the malloc().

While I don't know the absolute best way to handle this, I would assume
that if we simply map the memory we want to use to where we will
eventually load the vendor_boot image that would be the most logical.

Fixes: abadcda24b10 ("bootstd: android: don't read whole partition sizes")
Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
---
 boot/bootmeth_android.c | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index 1374551dbeb..c2c25d53ef3 100644
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -118,9 +118,10 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
 	struct blk_desc *desc = dev_get_uclass_plat(blk);
 	struct disk_partition partition;
 	char partname[PART_NAME_LEN];
-	ulong num_blks, bufsz;
+	ulong num_blks;
 	char *buf;
 	int ret;
+	ulong vloadaddr = env_get_hex("vendor_boot_comp_addr_r", 0);
 
 	if (priv->slot)
 		sprintf(partname, VENDOR_BOOT_PART_NAME "_%s", priv->slot);
@@ -132,28 +133,19 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
 		return log_msg_ret("part info", ret);
 
 	num_blks = DIV_ROUND_UP(sizeof(struct andr_vnd_boot_img_hdr), desc->blksz);
-	bufsz = num_blks * desc->blksz;
-	buf = malloc(bufsz);
+	buf = map_sysmem(vloadaddr, 0);
 	if (!buf)
 		return log_msg_ret("buf", -ENOMEM);
 
 	ret = blk_read(blk, partition.start, num_blks, buf);
-	if (ret != num_blks) {
-		free(buf);
+	if (ret != num_blks)
 		return log_msg_ret("part read", -EIO);
-	}
 
-	if (!is_android_vendor_boot_image_header(buf)) {
-		free(buf);
+	if (!is_android_vendor_boot_image_header(buf))
 		return log_msg_ret("header", -ENOENT);
-	}
 
-	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size)) {
-		free(buf);
+	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size))
 		return log_msg_ret("get vendor bootimg size", -EINVAL);
-	}
-
-	free(buf);
 
 	return 0;
 }
-- 
2.43.0

Re: [PATCH] bootstd: android: Fix write outside of memory

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 3319 bytes --]

On Tue, Dec 23, 2025 at 05:44:56PM -0600, Chris Morgan wrote:

> From: Chris Morgan <macromorgan@hotmail.com>
> 
> It looks like under certain circumstances when reading the vendor_boot
> partition it causes my device to write outside the range of memory
> available. Near as I can tell this occurs because
> scan_vendor_boot_part() calls android_image_get_vendor_bootimg_size()
> which calls android_vendor_boot_image_v3_v4_parse_hdr() which calls
> add_trailer() which attempts to copy information to a buffer allocated
> with malloc in the scan_vendor_boot_part() function. On my board the
> memory set aside for malloc is at the top of the system RAM, and given
> a large enough vendor boot image size this causes the write from
> add_trailer() to occur outside of the system RAM (nevermind outside
> of what was allocated with the malloc().
> 
> While I don't know the absolute best way to handle this, I would assume
> that if we simply map the memory we want to use to where we will
> eventually load the vendor_boot image that would be the most logical.
> 
> Fixes: abadcda24b10 ("bootstd: android: don't read whole partition sizes")
> Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
> ---
>  boot/bootmeth_android.c | 20 ++++++--------------
>  1 file changed, 6 insertions(+), 14 deletions(-)
> 
> diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
> index 1374551dbeb..c2c25d53ef3 100644
> --- a/boot/bootmeth_android.c
> +++ b/boot/bootmeth_android.c
> @@ -118,9 +118,10 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
>  	struct blk_desc *desc = dev_get_uclass_plat(blk);
>  	struct disk_partition partition;
>  	char partname[PART_NAME_LEN];
> -	ulong num_blks, bufsz;
> +	ulong num_blks;
>  	char *buf;
>  	int ret;
> +	ulong vloadaddr = env_get_hex("vendor_boot_comp_addr_r", 0);
>  
>  	if (priv->slot)
>  		sprintf(partname, VENDOR_BOOT_PART_NAME "_%s", priv->slot);
> @@ -132,28 +133,19 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
>  		return log_msg_ret("part info", ret);
>  
>  	num_blks = DIV_ROUND_UP(sizeof(struct andr_vnd_boot_img_hdr), desc->blksz);
> -	bufsz = num_blks * desc->blksz;
> -	buf = malloc(bufsz);
> +	buf = map_sysmem(vloadaddr, 0);
>  	if (!buf)
>  		return log_msg_ret("buf", -ENOMEM);
>  
>  	ret = blk_read(blk, partition.start, num_blks, buf);
> -	if (ret != num_blks) {
> -		free(buf);
> +	if (ret != num_blks)
>  		return log_msg_ret("part read", -EIO);
> -	}
>  
> -	if (!is_android_vendor_boot_image_header(buf)) {
> -		free(buf);
> +	if (!is_android_vendor_boot_image_header(buf))
>  		return log_msg_ret("header", -ENOENT);
> -	}
>  
> -	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size)) {
> -		free(buf);
> +	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size))
>  		return log_msg_ret("get vendor bootimg size", -EINVAL);
> -	}
> -
> -	free(buf);
>  
>  	return 0;
>  }

I haven't forgotten about this, but I'm hoping there's some other way to
solve this, I'm not super keen on adding another environment variable
(that would need to be documented in a v2 if we can't fix this some
other way). Mattijs, do you have any ideas?

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH] bootstd: android: Fix write outside of memory

[Mattijs Korpershoek]

On Tue, Jan 06, 2026 at 11:16, Tom Rini <trini@konsulko.com> wrote:

> On Tue, Dec 23, 2025 at 05:44:56PM -0600, Chris Morgan wrote:
>
>> From: Chris Morgan <macromorgan@hotmail.com>
>> 
>> It looks like under certain circumstances when reading the vendor_boot
>> partition it causes my device to write outside the range of memory
>> available. Near as I can tell this occurs because
>> scan_vendor_boot_part() calls android_image_get_vendor_bootimg_size()
>> which calls android_vendor_boot_image_v3_v4_parse_hdr() which calls
>> add_trailer() which attempts to copy information to a buffer allocated
>> with malloc in the scan_vendor_boot_part() function. On my board the
>> memory set aside for malloc is at the top of the system RAM, and given
>> a large enough vendor boot image size this causes the write from
>> add_trailer() to occur outside of the system RAM (nevermind outside
>> of what was allocated with the malloc().
>> 
>> While I don't know the absolute best way to handle this, I would assume
>> that if we simply map the memory we want to use to where we will
>> eventually load the vendor_boot image that would be the most logical.
>> 
>> Fixes: abadcda24b10 ("bootstd: android: don't read whole partition sizes")
>> Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
>> ---
>>  boot/bootmeth_android.c | 20 ++++++--------------
>>  1 file changed, 6 insertions(+), 14 deletions(-)
>> 
>> diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
>> index 1374551dbeb..c2c25d53ef3 100644
>> --- a/boot/bootmeth_android.c
>> +++ b/boot/bootmeth_android.c
>> @@ -118,9 +118,10 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
>>  	struct blk_desc *desc = dev_get_uclass_plat(blk);
>>  	struct disk_partition partition;
>>  	char partname[PART_NAME_LEN];
>> -	ulong num_blks, bufsz;
>> +	ulong num_blks;
>>  	char *buf;
>>  	int ret;
>> +	ulong vloadaddr = env_get_hex("vendor_boot_comp_addr_r", 0);
>>  
>>  	if (priv->slot)
>>  		sprintf(partname, VENDOR_BOOT_PART_NAME "_%s", priv->slot);
>> @@ -132,28 +133,19 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
>>  		return log_msg_ret("part info", ret);
>>  
>>  	num_blks = DIV_ROUND_UP(sizeof(struct andr_vnd_boot_img_hdr), desc->blksz);
>> -	bufsz = num_blks * desc->blksz;
>> -	buf = malloc(bufsz);
>> +	buf = map_sysmem(vloadaddr, 0);
>>  	if (!buf)
>>  		return log_msg_ret("buf", -ENOMEM);
>>  
>>  	ret = blk_read(blk, partition.start, num_blks, buf);
>> -	if (ret != num_blks) {
>> -		free(buf);
>> +	if (ret != num_blks)
>>  		return log_msg_ret("part read", -EIO);
>> -	}
>>  
>> -	if (!is_android_vendor_boot_image_header(buf)) {
>> -		free(buf);
>> +	if (!is_android_vendor_boot_image_header(buf))
>>  		return log_msg_ret("header", -ENOENT);
>> -	}
>>  
>> -	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size)) {
>> -		free(buf);
>> +	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size))
>>  		return log_msg_ret("get vendor bootimg size", -EINVAL);
>> -	}
>> -
>> -	free(buf);
>>  
>>  	return 0;
>>  }
>
> I haven't forgotten about this, but I'm hoping there's some other way to
> solve this, I'm not super keen on adding another environment variable
> (that would need to be documented in a v2 if we can't fix this some
> other way). Mattijs, do you have any ideas?

Sorry for the delay. I'm trying to catch up on my review queue after the
holiday break.
I hope to follow up here in the coming days.

>
> -- 
> Tom

Re: [PATCH] bootstd: android: Fix write outside of memory

[Chris Morgan]

On Tue, Jan 06, 2026 at 11:16:33AM -0600, Tom Rini wrote:
> On Tue, Dec 23, 2025 at 05:44:56PM -0600, Chris Morgan wrote:
> 
> > From: Chris Morgan <macromorgan@hotmail.com>
> > 
> > It looks like under certain circumstances when reading the vendor_boot
> > partition it causes my device to write outside the range of memory
> > available. Near as I can tell this occurs because
> > scan_vendor_boot_part() calls android_image_get_vendor_bootimg_size()
> > which calls android_vendor_boot_image_v3_v4_parse_hdr() which calls
> > add_trailer() which attempts to copy information to a buffer allocated
> > with malloc in the scan_vendor_boot_part() function. On my board the
> > memory set aside for malloc is at the top of the system RAM, and given
> > a large enough vendor boot image size this causes the write from
> > add_trailer() to occur outside of the system RAM (nevermind outside
> > of what was allocated with the malloc().
> > 
> > While I don't know the absolute best way to handle this, I would assume
> > that if we simply map the memory we want to use to where we will
> > eventually load the vendor_boot image that would be the most logical.
> > 
> > Fixes: abadcda24b10 ("bootstd: android: don't read whole partition sizes")
> > Signed-off-by: Chris Morgan <macromorgan@hotmail.com>
> > ---
> >  boot/bootmeth_android.c | 20 ++++++--------------
> >  1 file changed, 6 insertions(+), 14 deletions(-)
> > 
> > diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
> > index 1374551dbeb..c2c25d53ef3 100644
> > --- a/boot/bootmeth_android.c
> > +++ b/boot/bootmeth_android.c
> > @@ -118,9 +118,10 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
> >  	struct blk_desc *desc = dev_get_uclass_plat(blk);
> >  	struct disk_partition partition;
> >  	char partname[PART_NAME_LEN];
> > -	ulong num_blks, bufsz;
> > +	ulong num_blks;
> >  	char *buf;
> >  	int ret;
> > +	ulong vloadaddr = env_get_hex("vendor_boot_comp_addr_r", 0);
> >  
> >  	if (priv->slot)
> >  		sprintf(partname, VENDOR_BOOT_PART_NAME "_%s", priv->slot);
> > @@ -132,28 +133,19 @@ static int scan_vendor_boot_part(struct udevice *blk, struct android_priv *priv)
> >  		return log_msg_ret("part info", ret);
> >  
> >  	num_blks = DIV_ROUND_UP(sizeof(struct andr_vnd_boot_img_hdr), desc->blksz);
> > -	bufsz = num_blks * desc->blksz;
> > -	buf = malloc(bufsz);
> > +	buf = map_sysmem(vloadaddr, 0);
> >  	if (!buf)
> >  		return log_msg_ret("buf", -ENOMEM);
> >  
> >  	ret = blk_read(blk, partition.start, num_blks, buf);
> > -	if (ret != num_blks) {
> > -		free(buf);
> > +	if (ret != num_blks)
> >  		return log_msg_ret("part read", -EIO);
> > -	}
> >  
> > -	if (!is_android_vendor_boot_image_header(buf)) {
> > -		free(buf);
> > +	if (!is_android_vendor_boot_image_header(buf))
> >  		return log_msg_ret("header", -ENOENT);
> > -	}
> >  
> > -	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size)) {
> > -		free(buf);
> > +	if (!android_image_get_vendor_bootimg_size(buf, &priv->vendor_boot_img_size))
> >  		return log_msg_ret("get vendor bootimg size", -EINVAL);
> > -	}
> > -
> > -	free(buf);
> >  
> >  	return 0;
> >  }
> 
> I haven't forgotten about this, but I'm hoping there's some other way to
> solve this, I'm not super keen on adding another environment variable
> (that would need to be documented in a v2 if we can't fix this some
> other way). Mattijs, do you have any ideas?
> 

Would using hdr->ramdisk_addr as the end address in
android_vendor_boot_image_v3_v4_parse_hdr() work instead of (ulong)hdr?

That of course assumes the ram disk isn't manually loaded elsewhere.

Thank you,
Chris

> -- 
> Tom