* [PATCH] ifwitool: Fix member access
@ 2023-01-18 20:13 Simon Glass
2023-01-21 18:14 ` Sean Anderson
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Simon Glass @ 2023-01-18 20:13 UTC (permalink / raw)
To: u-boot; +Cc: Mikhail Ilin, Simon Glass
On a second and third look, a recent patch seems to be writing to the
wrong place - updating offsets from the address of the pointer instead
of what the pointer points to.
Fix it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: 2d1b2ac13fe ("tool: ifwitool: Fix buffer overflow")
---
tools/ifwitool.c | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/tools/ifwitool.c b/tools/ifwitool.c
index 31591863b2e..c1defe57737 100644
--- a/tools/ifwitool.c
+++ b/tools/ifwitool.c
@@ -721,7 +721,7 @@ static size_t read_member(void *src, size_t offset, size_t size_bytes,
*/
static size_t fix_member(void *data, size_t offset, size_t size_bytes)
{
- uint8_t *src = (uint8_t *)data + offset;
+ void *src = (uint8_t *)data + offset;
switch (size_bytes) {
case 1:
@@ -1441,20 +1441,20 @@ static void bpdt_fixup_write_buffer(struct buffer *buf)
size_t offset = 0;
- offset = fix_member(&s, offset, sizeof(h->signature));
- offset = fix_member(&s, offset, sizeof(h->descriptor_count));
- offset = fix_member(&s, offset, sizeof(h->bpdt_version));
- offset = fix_member(&s, offset, sizeof(h->xor_redundant_block));
- offset = fix_member(&s, offset, sizeof(h->ifwi_version));
- offset = fix_member(&s, offset, sizeof(h->fit_tool_version));
+ offset = fix_member(s, offset, sizeof(h->signature));
+ offset = fix_member(s, offset, sizeof(h->descriptor_count));
+ offset = fix_member(s, offset, sizeof(h->bpdt_version));
+ offset = fix_member(s, offset, sizeof(h->xor_redundant_block));
+ offset = fix_member(s, offset, sizeof(h->ifwi_version));
+ offset = fix_member(s, offset, sizeof(h->fit_tool_version));
uint32_t i;
for (i = 0; i < count; i++) {
- offset = fix_member(&s, offset, sizeof(e[i].type));
- offset = fix_member(&s, offset, sizeof(e[i].flags));
- offset = fix_member(&s, offset, sizeof(e[i].offset));
- offset = fix_member(&s, offset, sizeof(e[i].size));
+ offset = fix_member(s, offset, sizeof(e[i].type));
+ offset = fix_member(s, offset, sizeof(e[i].flags));
+ offset = fix_member(s, offset, sizeof(e[i].offset));
+ offset = fix_member(s, offset, sizeof(e[i].size));
}
}
@@ -1654,21 +1654,21 @@ static void subpart_dir_fixup_write_buffer(struct buffer *buf)
size_t count = h->num_entries;
size_t offset = 0;
- offset = fix_member(&s, offset, sizeof(h->marker));
- offset = fix_member(&s, offset, sizeof(h->num_entries));
- offset = fix_member(&s, offset, sizeof(h->header_version));
- offset = fix_member(&s, offset, sizeof(h->entry_version));
- offset = fix_member(&s, offset, sizeof(h->header_length));
- offset = fix_member(&s, offset, sizeof(h->checksum));
+ offset = fix_member(s, offset, sizeof(h->marker));
+ offset = fix_member(s, offset, sizeof(h->num_entries));
+ offset = fix_member(s, offset, sizeof(h->header_version));
+ offset = fix_member(s, offset, sizeof(h->entry_version));
+ offset = fix_member(s, offset, sizeof(h->header_length));
+ offset = fix_member(s, offset, sizeof(h->checksum));
offset += sizeof(h->name);
uint32_t i;
for (i = 0; i < count; i++) {
offset += sizeof(e[i].name);
- offset = fix_member(&s, offset, sizeof(e[i].offset));
- offset = fix_member(&s, offset, sizeof(e[i].length));
- offset = fix_member(&s, offset, sizeof(e[i].rsvd));
+ offset = fix_member(s, offset, sizeof(e[i].offset));
+ offset = fix_member(s, offset, sizeof(e[i].length));
+ offset = fix_member(s, offset, sizeof(e[i].rsvd));
}
}
--
2.39.0.246.g2a6d74b583-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] ifwitool: Fix member access
2023-01-18 20:13 [PATCH] ifwitool: Fix member access Simon Glass
@ 2023-01-21 18:14 ` Sean Anderson
2023-01-21 18:17 ` Sean Anderson
2023-01-27 19:07 ` Tom Rini
2 siblings, 0 replies; 5+ messages in thread
From: Sean Anderson @ 2023-01-21 18:14 UTC (permalink / raw)
To: Simon Glass, u-boot; +Cc: Mikhail Ilin
On 1/18/23 15:13, Simon Glass wrote:
> On a second and third look, a recent patch seems to be writing to the
> wrong place - updating offsets from the address of the pointer instead
> of what the pointer points to.
>
> Fix it.
>
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Fixes: 2d1b2ac13fe ("tool: ifwitool: Fix buffer overflow")
> ---
>
> tools/ifwitool.c | 40 ++++++++++++++++++++--------------------
> 1 file changed, 20 insertions(+), 20 deletions(-)
>
> diff --git a/tools/ifwitool.c b/tools/ifwitool.c
> index 31591863b2e..c1defe57737 100644
> --- a/tools/ifwitool.c
> +++ b/tools/ifwitool.c
> @@ -721,7 +721,7 @@ static size_t read_member(void *src, size_t offset, size_t size_bytes,
> */
> static size_t fix_member(void *data, size_t offset, size_t size_bytes)
> {
> - uint8_t *src = (uint8_t *)data + offset;
> + void *src = (uint8_t *)data + offset;
>
> switch (size_bytes) {
> case 1:
> @@ -1441,20 +1441,20 @@ static void bpdt_fixup_write_buffer(struct buffer *buf)
>
> size_t offset = 0;
>
> - offset = fix_member(&s, offset, sizeof(h->signature));
> - offset = fix_member(&s, offset, sizeof(h->descriptor_count));
> - offset = fix_member(&s, offset, sizeof(h->bpdt_version));
> - offset = fix_member(&s, offset, sizeof(h->xor_redundant_block));
> - offset = fix_member(&s, offset, sizeof(h->ifwi_version));
> - offset = fix_member(&s, offset, sizeof(h->fit_tool_version));
> + offset = fix_member(s, offset, sizeof(h->signature));
> + offset = fix_member(s, offset, sizeof(h->descriptor_count));
> + offset = fix_member(s, offset, sizeof(h->bpdt_version));
> + offset = fix_member(s, offset, sizeof(h->xor_redundant_block));
> + offset = fix_member(s, offset, sizeof(h->ifwi_version));
> + offset = fix_member(s, offset, sizeof(h->fit_tool_version));
>
> uint32_t i;
>
> for (i = 0; i < count; i++) {
> - offset = fix_member(&s, offset, sizeof(e[i].type));
> - offset = fix_member(&s, offset, sizeof(e[i].flags));
> - offset = fix_member(&s, offset, sizeof(e[i].offset));
> - offset = fix_member(&s, offset, sizeof(e[i].size));
> + offset = fix_member(s, offset, sizeof(e[i].type));
> + offset = fix_member(s, offset, sizeof(e[i].flags));
> + offset = fix_member(s, offset, sizeof(e[i].offset));
> + offset = fix_member(s, offset, sizeof(e[i].size));
> }
> }
>
> @@ -1654,21 +1654,21 @@ static void subpart_dir_fixup_write_buffer(struct buffer *buf)
> size_t count = h->num_entries;
> size_t offset = 0;
>
> - offset = fix_member(&s, offset, sizeof(h->marker));
> - offset = fix_member(&s, offset, sizeof(h->num_entries));
> - offset = fix_member(&s, offset, sizeof(h->header_version));
> - offset = fix_member(&s, offset, sizeof(h->entry_version));
> - offset = fix_member(&s, offset, sizeof(h->header_length));
> - offset = fix_member(&s, offset, sizeof(h->checksum));
> + offset = fix_member(s, offset, sizeof(h->marker));
> + offset = fix_member(s, offset, sizeof(h->num_entries));
> + offset = fix_member(s, offset, sizeof(h->header_version));
> + offset = fix_member(s, offset, sizeof(h->entry_version));
> + offset = fix_member(s, offset, sizeof(h->header_length));
> + offset = fix_member(s, offset, sizeof(h->checksum));
> offset += sizeof(h->name);
>
> uint32_t i;
>
> for (i = 0; i < count; i++) {
> offset += sizeof(e[i].name);
> - offset = fix_member(&s, offset, sizeof(e[i].offset));
> - offset = fix_member(&s, offset, sizeof(e[i].length));
> - offset = fix_member(&s, offset, sizeof(e[i].rsvd));
> + offset = fix_member(s, offset, sizeof(e[i].offset));
> + offset = fix_member(s, offset, sizeof(e[i].length));
> + offset = fix_member(s, offset, sizeof(e[i].rsvd));
> }
> }
>
This fixes build errors for me.
Acked-by: Sean Anderson <seanga2@gmail.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] ifwitool: Fix member access
2023-01-18 20:13 [PATCH] ifwitool: Fix member access Simon Glass
2023-01-21 18:14 ` Sean Anderson
@ 2023-01-21 18:17 ` Sean Anderson
2023-01-21 18:17 ` Sean Anderson
2023-01-27 19:07 ` Tom Rini
2 siblings, 1 reply; 5+ messages in thread
From: Sean Anderson @ 2023-01-21 18:17 UTC (permalink / raw)
To: u-boot, sjg; +Cc: Sean Anderson, ilin.mikhail.ol
On Wed, 18 Jan 2023 13:13:17 -0700, Simon Glass wrote:
> On a second and third look, a recent patch seems to be writing to the
> wrong place - updating offsets from the address of the pointer instead
> of what the pointer points to.
>
> Fix it.
>
>
> [...]
Applied, thanks!
[1/1] ifwitool: Fix member access
commit: 87e7a02ae966331892bf57fc16aeccbb23387e04
Best regards,
--
Sean Anderson <seanga2@gmail.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] ifwitool: Fix member access
2023-01-21 18:17 ` Sean Anderson
@ 2023-01-21 18:17 ` Sean Anderson
0 siblings, 0 replies; 5+ messages in thread
From: Sean Anderson @ 2023-01-21 18:17 UTC (permalink / raw)
To: u-boot, sjg; +Cc: ilin.mikhail.ol
On 1/21/23 13:17, Sean Anderson wrote:
> On Wed, 18 Jan 2023 13:13:17 -0700, Simon Glass wrote:
>> On a second and third look, a recent patch seems to be writing to the
>> wrong place - updating offsets from the address of the pointer instead
>> of what the pointer points to.
>>
>> Fix it.
>>
>>
>> [...]
>
> Applied, thanks!
>
> [1/1] ifwitool: Fix member access
> commit: 87e7a02ae966331892bf57fc16aeccbb23387e04
>
> Best regards,
Whoops, sent this for the wrong patch.
--Sean
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] ifwitool: Fix member access
2023-01-18 20:13 [PATCH] ifwitool: Fix member access Simon Glass
2023-01-21 18:14 ` Sean Anderson
2023-01-21 18:17 ` Sean Anderson
@ 2023-01-27 19:07 ` Tom Rini
2 siblings, 0 replies; 5+ messages in thread
From: Tom Rini @ 2023-01-27 19:07 UTC (permalink / raw)
To: Simon Glass; +Cc: u-boot, Mikhail Ilin
[-- Attachment #1: Type: text/plain, Size: 471 bytes --]
On Wed, Jan 18, 2023 at 01:13:17PM -0700, Simon Glass wrote:
> On a second and third look, a recent patch seems to be writing to the
> wrong place - updating offsets from the address of the pointer instead
> of what the pointer points to.
>
> Fix it.
>
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Fixes: 2d1b2ac13fe ("tool: ifwitool: Fix buffer overflow")
> Acked-by: Sean Anderson <seanga2@gmail.com>
Applied to u-boot/master, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-01-27 19:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-18 20:13 [PATCH] ifwitool: Fix member access Simon Glass
2023-01-21 18:14 ` Sean Anderson
2023-01-21 18:17 ` Sean Anderson
2023-01-21 18:17 ` Sean Anderson
2023-01-27 19:07 ` Tom Rini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox