From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: Masahisa Kojima <masahisa.kojima@linaro.org>
Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de>,
Simon Glass <sjg@chromium.org>,
Takahiro Akashi <takahiro.akashi@linaro.org>,
Joe Hershberger <joe.hershberger@ni.com>,
Ramon Fried <rfried.dev@gmail.com>
Subject: Re: [PATCH v4 1/8] net: wget: prevent overwriting reserved memory
Date: Mon, 25 Sep 2023 13:50:38 +0300 [thread overview]
Message-ID: <ZRFl/gKVpazitXrb@hera> (raw)
In-Reply-To: <20230922071119.1439482-2-masahisa.kojima@linaro.org>
On Fri, Sep 22, 2023 at 04:11:12PM +0900, Masahisa Kojima wrote:
> This introduces the valid range check to store the received
> blocks using lmb. The same logic is implemented in tftp.
>
> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> ---
> net/wget.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++-----
> 1 file changed, 73 insertions(+), 7 deletions(-)
>
> diff --git a/net/wget.c b/net/wget.c
> index 2dbfeb1a1d..a48a8cb624 100644
> --- a/net/wget.c
> +++ b/net/wget.c
> @@ -4,16 +4,20 @@
> * Copyright Duncan Hare <dh@synoia.com> 2017
> */
>
> +#include <asm/global_data.h>
> #include <command.h>
> #include <common.h>
> #include <display_options.h>
> #include <env.h>
> #include <image.h>
> +#include <lmb.h>
> #include <mapmem.h>
> #include <net.h>
> #include <net/tcp.h>
> #include <net/wget.h>
>
> +DECLARE_GLOBAL_DATA_PTR;
> +
> static const char bootfile1[] = "GET ";
> static const char bootfile3[] = " HTTP/1.0\r\n\r\n";
> static const char http_eom[] = "\r\n\r\n";
> @@ -55,6 +59,29 @@ static unsigned int retry_tcp_ack_num; /* TCP retry acknowledge number*/
> static unsigned int retry_tcp_seq_num; /* TCP retry sequence number */
> static int retry_len; /* TCP retry length */
>
> +static ulong wget_load_size;
> +
> +/**
> + * wget_init_max_size() - initialize maximum load size
> + *
> + * Return: 0 if success, -1 if fails
> + */
> +static int wget_init_load_size(void)
> +{
> + struct lmb lmb;
> + phys_size_t max_size;
> +
> + lmb_init_and_reserve(&lmb, gd->bd, (void *)gd->fdt_blob);
> +
> + max_size = lmb_get_free_size(&lmb, image_load_addr);
> + if (!max_size)
> + return -1;
> +
> + wget_load_size = max_size;
> +
> + return 0;
> +}
> +
> /**
> * store_block() - store block in memory
> * @src: source of data
> @@ -63,10 +90,25 @@ static int retry_len; /* TCP retry length */
> */
> static inline int store_block(uchar *src, unsigned int offset, unsigned int len)
> {
> + ulong store_addr = image_load_addr + offset;
> ulong newsize = offset + len;
> uchar *ptr;
>
> - ptr = map_sysmem(image_load_addr + offset, len);
> + if (IS_ENABLED(CONFIG_LMB)) {
> + ulong end_addr = image_load_addr + wget_load_size;
> +
> + if (!end_addr)
> + end_addr = ULONG_MAX;
> +
> + if (store_addr < image_load_addr ||
> + store_addr + len > end_addr) {
> + printf("\nwget error: ");
> + printf("trying to overwrite reserved memory...\n");
> + return -1;
> + }
> + }
> +
> + ptr = map_sysmem(store_addr, len);
> memcpy(ptr, src, len);
> unmap_sysmem(ptr);
>
> @@ -240,25 +282,39 @@ static void wget_connected(uchar *pkt, unsigned int tcp_seq_num,
>
> net_boot_file_size = 0;
>
> - if (len > hlen)
> - store_block(pkt + hlen, 0, len - hlen);
> + if (len > hlen) {
> + if (store_block(pkt + hlen, 0, len - hlen) != 0) {
> + wget_loop_state = NETLOOP_FAIL;
> + wget_fail("wget: store error\n", tcp_seq_num, tcp_ack_num, action);
> + net_set_state(NETLOOP_FAIL);
> + return;
> + }
> + }
>
> debug_cond(DEBUG_WGET,
> "wget: Connected Pkt %p hlen %x\n",
> pkt, hlen);
>
> for (i = 0; i < pkt_q_idx; i++) {
> + int err;
> +
> ptr1 = map_sysmem(
> (phys_addr_t)(pkt_q[i].pkt),
> pkt_q[i].len);
> - store_block(ptr1,
> - pkt_q[i].tcp_seq_num -
> - initial_data_seq_num,
> - pkt_q[i].len);
> + err = store_block(ptr1,
> + pkt_q[i].tcp_seq_num -
> + initial_data_seq_num,
> + pkt_q[i].len);
> unmap_sysmem(ptr1);
> debug_cond(DEBUG_WGET,
> "wget: Connctd pkt Q %p len %x\n",
> pkt_q[i].pkt, pkt_q[i].len);
> + if (err) {
> + wget_loop_state = NETLOOP_FAIL;
> + wget_fail("wget: store error\n", tcp_seq_num, tcp_ack_num, action);
> + net_set_state(NETLOOP_FAIL);
> + return;
> + }
> }
> }
> }
> @@ -330,6 +386,7 @@ static void wget_handler(uchar *pkt, u16 dport,
> len) != 0) {
> wget_fail("wget: store error\n",
> tcp_seq_num, tcp_ack_num, action);
> + net_set_state(NETLOOP_FAIL);
> return;
> }
>
> @@ -420,6 +477,15 @@ void wget_start(void)
> debug_cond(DEBUG_WGET,
> "\nwget:Load address: 0x%lx\nLoading: *\b", image_load_addr);
>
> + if (IS_ENABLED(CONFIG_LMB)) {
> + if (wget_init_load_size()) {
> + printf("\nwget error: ");
> + printf("trying to overwrite reserved memory...\n");
> + net_set_state(NETLOOP_FAIL);
> + return;
> + }
> + }
> +
> net_set_timeout_handler(wget_timeout, wget_timeout_handler);
> tcp_set_tcp_handler(wget_handler);
>
> --
> 2.34.1
>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
next prev parent reply other threads:[~2023-09-25 10:50 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-22 7:11 [PATCH v4 0/8] Add EFI HTTP boot support Masahisa Kojima
2023-09-22 7:11 ` [PATCH v4 1/8] net: wget: prevent overwriting reserved memory Masahisa Kojima
2023-09-25 10:50 ` Ilias Apalodimas [this message]
2023-09-22 7:11 ` [PATCH v4 2/8] net: wget: add wget with dns utility function Masahisa Kojima
2023-09-25 10:52 ` Ilias Apalodimas
2023-09-22 7:11 ` [PATCH v4 3/8] blk: blkmap: add ramdisk creation " Masahisa Kojima
2023-09-25 12:09 ` Ilias Apalodimas
2023-09-22 7:11 ` [PATCH v4 4/8] efi_loader: support boot from URI device path Masahisa Kojima
2023-09-25 12:37 ` Ilias Apalodimas
2023-09-26 3:01 ` Masahisa Kojima
2023-09-28 11:35 ` Maxim Uvarov
2023-09-29 2:13 ` Masahisa Kojima
2023-09-29 6:24 ` Maxim Uvarov
2023-09-29 7:00 ` Masahisa Kojima
2023-09-29 7:43 ` Maxim Uvarov
2023-09-22 7:11 ` [PATCH v4 5/8] efi_loader: set EFI HTTP Boot download buffer as reserved Masahisa Kojima
2023-09-25 12:46 ` Ilias Apalodimas
2023-09-26 3:11 ` Masahisa Kojima
2023-09-22 7:11 ` [PATCH v4 6/8] cmd: efidebug: add uri device path Masahisa Kojima
2023-09-22 7:11 ` [PATCH v4 7/8] doc: uefi: add HTTP Boot support Masahisa Kojima
2023-09-25 12:12 ` Ilias Apalodimas
2023-09-26 3:02 ` Masahisa Kojima
2023-09-22 7:11 ` [PATCH v4 8/8] efi_loader: create BlockIo device boot option Masahisa Kojima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZRFl/gKVpazitXrb@hera \
--to=ilias.apalodimas@linaro.org \
--cc=joe.hershberger@ni.com \
--cc=masahisa.kojima@linaro.org \
--cc=rfried.dev@gmail.com \
--cc=sjg@chromium.org \
--cc=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox