[PATCH] ifwitool: Fix member access

[PATCH] ifwitool: Fix member access

[Simon Glass]

On a second and third look, a recent patch seems to be writing to the
wrong place - updating offsets from the address of the pointer instead
of what the pointer points to.

Fix it.

Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: 2d1b2ac13fe ("tool: ifwitool: Fix buffer overflow")
---

 tools/ifwitool.c | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/tools/ifwitool.c b/tools/ifwitool.c
index 31591863b2e..c1defe57737 100644
--- a/tools/ifwitool.c
+++ b/tools/ifwitool.c
@@ -721,7 +721,7 @@ static size_t read_member(void *src, size_t offset, size_t size_bytes,
  */
 static size_t fix_member(void *data, size_t offset, size_t size_bytes)
 {
-	uint8_t *src = (uint8_t *)data + offset;
+	void *src = (uint8_t *)data + offset;
 
 	switch (size_bytes) {
 	case 1:
@@ -1441,20 +1441,20 @@ static void bpdt_fixup_write_buffer(struct buffer *buf)
 
 	size_t offset = 0;
 
-	offset = fix_member(&s, offset, sizeof(h->signature));
-	offset = fix_member(&s, offset, sizeof(h->descriptor_count));
-	offset = fix_member(&s, offset, sizeof(h->bpdt_version));
-	offset = fix_member(&s, offset, sizeof(h->xor_redundant_block));
-	offset = fix_member(&s, offset, sizeof(h->ifwi_version));
-	offset = fix_member(&s, offset, sizeof(h->fit_tool_version));
+	offset = fix_member(s, offset, sizeof(h->signature));
+	offset = fix_member(s, offset, sizeof(h->descriptor_count));
+	offset = fix_member(s, offset, sizeof(h->bpdt_version));
+	offset = fix_member(s, offset, sizeof(h->xor_redundant_block));
+	offset = fix_member(s, offset, sizeof(h->ifwi_version));
+	offset = fix_member(s, offset, sizeof(h->fit_tool_version));
 
 	uint32_t i;
 
 	for (i = 0; i < count; i++) {
-		offset = fix_member(&s, offset, sizeof(e[i].type));
-		offset = fix_member(&s, offset, sizeof(e[i].flags));
-		offset = fix_member(&s, offset, sizeof(e[i].offset));
-		offset = fix_member(&s, offset, sizeof(e[i].size));
+		offset = fix_member(s, offset, sizeof(e[i].type));
+		offset = fix_member(s, offset, sizeof(e[i].flags));
+		offset = fix_member(s, offset, sizeof(e[i].offset));
+		offset = fix_member(s, offset, sizeof(e[i].size));
 	}
 }
 
@@ -1654,21 +1654,21 @@ static void subpart_dir_fixup_write_buffer(struct buffer *buf)
 	size_t count = h->num_entries;
 	size_t offset = 0;
 
-	offset = fix_member(&s, offset, sizeof(h->marker));
-	offset = fix_member(&s, offset, sizeof(h->num_entries));
-	offset = fix_member(&s, offset, sizeof(h->header_version));
-	offset = fix_member(&s, offset, sizeof(h->entry_version));
-	offset = fix_member(&s, offset, sizeof(h->header_length));
-	offset = fix_member(&s, offset, sizeof(h->checksum));
+	offset = fix_member(s, offset, sizeof(h->marker));
+	offset = fix_member(s, offset, sizeof(h->num_entries));
+	offset = fix_member(s, offset, sizeof(h->header_version));
+	offset = fix_member(s, offset, sizeof(h->entry_version));
+	offset = fix_member(s, offset, sizeof(h->header_length));
+	offset = fix_member(s, offset, sizeof(h->checksum));
 	offset += sizeof(h->name);
 
 	uint32_t i;
 
 	for (i = 0; i < count; i++) {
 		offset += sizeof(e[i].name);
-		offset = fix_member(&s, offset, sizeof(e[i].offset));
-		offset = fix_member(&s, offset, sizeof(e[i].length));
-		offset = fix_member(&s, offset, sizeof(e[i].rsvd));
+		offset = fix_member(s, offset, sizeof(e[i].offset));
+		offset = fix_member(s, offset, sizeof(e[i].length));
+		offset = fix_member(s, offset, sizeof(e[i].rsvd));
 	}
 }
 
-- 
2.39.0.246.g2a6d74b583-goog

Re: [PATCH] ifwitool: Fix member access

[Sean Anderson]

On 1/18/23 15:13, Simon Glass wrote:
> On a second and third look, a recent patch seems to be writing to the
> wrong place - updating offsets from the address of the pointer instead
> of what the pointer points to.
> 
> Fix it.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Fixes: 2d1b2ac13fe ("tool: ifwitool: Fix buffer overflow")
> ---
> 
>   tools/ifwitool.c | 40 ++++++++++++++++++++--------------------
>   1 file changed, 20 insertions(+), 20 deletions(-)
> 
> diff --git a/tools/ifwitool.c b/tools/ifwitool.c
> index 31591863b2e..c1defe57737 100644
> --- a/tools/ifwitool.c
> +++ b/tools/ifwitool.c
> @@ -721,7 +721,7 @@ static size_t read_member(void *src, size_t offset, size_t size_bytes,
>    */
>   static size_t fix_member(void *data, size_t offset, size_t size_bytes)
>   {
> -	uint8_t *src = (uint8_t *)data + offset;
> +	void *src = (uint8_t *)data + offset;
>   
>   	switch (size_bytes) {
>   	case 1:
> @@ -1441,20 +1441,20 @@ static void bpdt_fixup_write_buffer(struct buffer *buf)
>   
>   	size_t offset = 0;
>   
> -	offset = fix_member(&s, offset, sizeof(h->signature));
> -	offset = fix_member(&s, offset, sizeof(h->descriptor_count));
> -	offset = fix_member(&s, offset, sizeof(h->bpdt_version));
> -	offset = fix_member(&s, offset, sizeof(h->xor_redundant_block));
> -	offset = fix_member(&s, offset, sizeof(h->ifwi_version));
> -	offset = fix_member(&s, offset, sizeof(h->fit_tool_version));
> +	offset = fix_member(s, offset, sizeof(h->signature));
> +	offset = fix_member(s, offset, sizeof(h->descriptor_count));
> +	offset = fix_member(s, offset, sizeof(h->bpdt_version));
> +	offset = fix_member(s, offset, sizeof(h->xor_redundant_block));
> +	offset = fix_member(s, offset, sizeof(h->ifwi_version));
> +	offset = fix_member(s, offset, sizeof(h->fit_tool_version));
>   
>   	uint32_t i;
>   
>   	for (i = 0; i < count; i++) {
> -		offset = fix_member(&s, offset, sizeof(e[i].type));
> -		offset = fix_member(&s, offset, sizeof(e[i].flags));
> -		offset = fix_member(&s, offset, sizeof(e[i].offset));
> -		offset = fix_member(&s, offset, sizeof(e[i].size));
> +		offset = fix_member(s, offset, sizeof(e[i].type));
> +		offset = fix_member(s, offset, sizeof(e[i].flags));
> +		offset = fix_member(s, offset, sizeof(e[i].offset));
> +		offset = fix_member(s, offset, sizeof(e[i].size));
>   	}
>   }
>   
> @@ -1654,21 +1654,21 @@ static void subpart_dir_fixup_write_buffer(struct buffer *buf)
>   	size_t count = h->num_entries;
>   	size_t offset = 0;
>   
> -	offset = fix_member(&s, offset, sizeof(h->marker));
> -	offset = fix_member(&s, offset, sizeof(h->num_entries));
> -	offset = fix_member(&s, offset, sizeof(h->header_version));
> -	offset = fix_member(&s, offset, sizeof(h->entry_version));
> -	offset = fix_member(&s, offset, sizeof(h->header_length));
> -	offset = fix_member(&s, offset, sizeof(h->checksum));
> +	offset = fix_member(s, offset, sizeof(h->marker));
> +	offset = fix_member(s, offset, sizeof(h->num_entries));
> +	offset = fix_member(s, offset, sizeof(h->header_version));
> +	offset = fix_member(s, offset, sizeof(h->entry_version));
> +	offset = fix_member(s, offset, sizeof(h->header_length));
> +	offset = fix_member(s, offset, sizeof(h->checksum));
>   	offset += sizeof(h->name);
>   
>   	uint32_t i;
>   
>   	for (i = 0; i < count; i++) {
>   		offset += sizeof(e[i].name);
> -		offset = fix_member(&s, offset, sizeof(e[i].offset));
> -		offset = fix_member(&s, offset, sizeof(e[i].length));
> -		offset = fix_member(&s, offset, sizeof(e[i].rsvd));
> +		offset = fix_member(s, offset, sizeof(e[i].offset));
> +		offset = fix_member(s, offset, sizeof(e[i].length));
> +		offset = fix_member(s, offset, sizeof(e[i].rsvd));
>   	}
>   }
>   

This fixes build errors for me.

Acked-by: Sean Anderson <seanga2@gmail.com>

Re: [PATCH] ifwitool: Fix member access

[Sean Anderson]

On Wed, 18 Jan 2023 13:13:17 -0700, Simon Glass wrote:
> On a second and third look, a recent patch seems to be writing to the
> wrong place - updating offsets from the address of the pointer instead
> of what the pointer points to.
> 
> Fix it.
> 
> 
> [...]

Applied, thanks!

[1/1] ifwitool: Fix member access
      commit: 87e7a02ae966331892bf57fc16aeccbb23387e04

Best regards,
-- 
Sean Anderson <seanga2@gmail.com>

Re: [PATCH] ifwitool: Fix member access

[Sean Anderson]

On 1/21/23 13:17, Sean Anderson wrote:
> On Wed, 18 Jan 2023 13:13:17 -0700, Simon Glass wrote:
>> On a second and third look, a recent patch seems to be writing to the
>> wrong place - updating offsets from the address of the pointer instead
>> of what the pointer points to.
>>
>> Fix it.
>>
>>
>> [...]
> 
> Applied, thanks!
> 
> [1/1] ifwitool: Fix member access
>        commit: 87e7a02ae966331892bf57fc16aeccbb23387e04
> 
> Best regards,

Whoops, sent this for the wrong patch.

--Sean

Re: [PATCH] ifwitool: Fix member access

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 471 bytes --]

On Wed, Jan 18, 2023 at 01:13:17PM -0700, Simon Glass wrote:

> On a second and third look, a recent patch seems to be writing to the
> wrong place - updating offsets from the address of the pointer instead
> of what the pointer points to.
> 
> Fix it.
> 
> Signed-off-by: Simon Glass <sjg@chromium.org>
> Fixes: 2d1b2ac13fe ("tool: ifwitool: Fix buffer overflow")
> Acked-by: Sean Anderson <seanga2@gmail.com>

Applied to u-boot/master, thanks!

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]