u-boot/common
Eugeniu Rosca e63bf1b13b common: image-android-dt: Fix out-of-bounds access
Currently, 'dtimg' allows users to check indexes equal to
dt_entry_count [1]. Forbid that [2].

[1] Behavior w/o the patch:

=> ext2load mmc 0:1 0x48000000 dtb.img
105695 bytes read in 5 ms (20.2 MiB/s)

=> dtimg dump 0x48000000
dt_table_header:
               magic = d7b7ab1e
          total_size = 105695
         header_size = 32
       dt_entry_size = 32
      dt_entry_count = 2
   dt_entries_offset = 32
           page_size = 4096
             version = 0
dt_table_entry[0]:
             dt_size = 105599
           dt_offset = 96
                  id = 0b779520
                 rev = 00000000
           custom[0] = 00000000
           custom[1] = 00000000
           custom[2] = 00000000
           custom[3] = 00000000
           (FDT)size = 105599
     (FDT)compatible = shimafuji,kingfisher
dt_table_entry[1]:
             dt_size = 105599
           dt_offset = 96
                  id = 0b779530
                 rev = 00000000
           custom[0] = 00000000
           custom[1] = 00000000
           custom[2] = 00000000
           custom[3] = 00000000
           (FDT)size = 105599
     (FDT)compatible = shimafuji,kingfisher

=> dtimg size 0x48000000 0 z; print z
z=19c7f
=> dtimg size 0x48000000 1 z; print z
z=19c7f
=> dtimg size 0x48000000 2 z; print z
z=d00dfeed
=> dtimg size 0x48000000 3 z
Error: index > dt_entry_count (3 > 2)

[2] Behavior with the patch:

=> dtimg size 0x48000000 0 z; print z
z=19c7f
=> dtimg size 0x48000000 1 z; print z
z=19c7f
=> dtimg size 0x48000000 2 z
Error: index >= dt_entry_count (2 >= 2)

Fixes: c044733457 ("common: Add support for Android DT image")
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
2019-03-22 12:15:18 -04:00
..
eeprom SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
init spl: Add support for passing handoff info to U-Boot proper 2018-11-26 08:25:37 -05:00
spl common: spl_fit: Default to IH_OS_U_BOOT if FIT_IMAGE_TINY enabled 2019-03-22 12:15:05 -04:00
autoboot.c bootcount: Rewrite autoboot to use wrapper functions from bootcount.h 2018-05-10 20:38:25 -04:00
avb_verify.c avb_verify: support using OP-TEE TA AVB 2018-10-07 11:07:25 -04:00
bedbug.c
bloblist.c Add core support for a bloblist to convey data from SPL 2018-11-26 08:25:32 -05:00
board_f.c Merge branch 'master' of git://git.denx.de/u-boot-spi 2018-12-05 15:06:24 -05:00
board_info.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
board_r.c initcall: Move to inline function 2019-02-09 07:50:58 -05:00
boot_fit.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
bootm_os.c riscv: bootm: Support booting VxWorks 2018-12-31 08:08:51 -05:00
bootm.c efi_loader: refactor switch to non-secure mode 2019-02-13 09:40:06 +01:00
bootretry.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
bootstage.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
bouncebuf.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
cli_hush.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
cli_readline.c cli: handle getch error 2018-09-10 20:20:34 -04:00
cli_simple.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
cli.c dfu: Remove dependency on HUSH parser in SPL 2019-01-26 08:13:55 -05:00
command.c common: command: Add support for $ auto-completion 2019-01-15 15:38:28 -05:00
common_fit.c common: Compile error with CONFIG_MULTI_DTB_FIT and not SPL 2018-11-09 10:44:50 -05:00
console.c sandbox: Allow puts() output before global_data is set up 2018-11-26 08:25:36 -05:00
cros_ec.c sandbox: cros_ec: exynos: Drop use of cros_ec_get_error() 2018-11-20 19:14:22 -07:00
ddr_spd.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
dfu.c usb: gadget: Do not call board_usb_xxx() directly in USB gadget drivers 2018-12-07 16:31:45 +01:00
dlmalloc.c malloc: Use malloc simple before malloc is fully initialized in memalign() 2018-05-26 18:19:19 -04:00
dlmalloc.src
edid.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
exports.c board/ls2085rdb: Export functions for standalone AQ FW load apps 2015-07-20 11:44:37 -07:00
fdt_support.c common: fdt_support: print hexadecimal numbers in debug 2019-01-14 17:47:13 -07:00
flash.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
hash.c Roll CRC16-CCITT into the hash infrastructure 2018-12-08 20:18:44 -05:00
hwconfig.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
image-android-dt.c common: image-android-dt: Fix out-of-bounds access 2019-03-22 12:15:18 -04:00
image-android.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
image-fdt.c image: fdt: handle coalesced reserve region 2019-03-08 11:31:44 -05:00
image-fit.c rsa: add a structure for the padding 2018-12-03 10:44:10 -05:00
image-sig.c rsa: add support of padding pss 2018-12-03 10:44:10 -05:00
image.c tools: add i.MX8M image support 2019-01-01 14:12:18 +01:00
iomux.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
iotrace.c iotrace: fix behaviour when buffer is full 2018-06-18 14:02:04 -04:00
kallsyms.c
Kconfig preboot: Introduce CONFIG_USE_PREBOOT and migrate CONFIG_PREBOOT 2019-02-22 19:49:41 -05:00
kgdb_stubs.c Use correct spelling of "U-Boot" 2016-02-06 12:00:59 +01:00
kgdb.c Fix spelling of "occurred". 2016-05-02 18:37:09 -04:00
lcd_console_rotation.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
lcd_console.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
lcd_simplefb.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
lcd.c video: use BMP_ALIGN_CENTER define from splash.h 2018-12-04 19:47:20 +01:00
log_console.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
log.c log: Add a Kconfig option to set the default log level 2019-02-20 15:21:44 +08:00
lynxkdi.c Remove unnecessary instances of DECLARE_GLOBAL_DATA_PTR 2018-04-27 14:54:48 -04:00
main.c main: Drop more #ifdefs 2018-12-06 23:26:30 -05:00
Makefile usb: Rename SPL_USB_SUPPORT to SPL_USB_STORAGE 2019-02-15 22:01:15 +01:00
malloc_simple.c malloc_simple: Add logging of allocations 2018-11-29 09:30:05 -07:00
memsize.c common/memsize.c: Increase save array for supporting memory size > 4GB 2018-07-10 16:55:59 -04:00
menu.c menu: fix timeout duration 2018-06-05 20:19:08 -04:00
miiphyutil.c miiphy: Add function to retrieve MDIO bus list head 2018-10-24 14:45:36 -05:00
s_record.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
splash_source.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
splash.c env: Rename getenv/_f() to env_get() 2017-08-16 08:30:24 -04:00
stdio.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
system_map.c
update.c SPDX: Convert all of our single license tags to Linux Kernel style 2018-05-07 09:34:12 -04:00
usb_hub.c usb: s/CONFIG_DM_USB/CONFIG_IS_ENABLED(DM_USB)/ 2018-11-26 21:19:03 +01:00
usb_kbd.c usb: s/CONFIG_DM_USB/CONFIG_IS_ENABLED(DM_USB)/ 2018-11-26 21:19:03 +01:00
usb_storage.c usb: storage: s/CONFIG_BLK/CONFIG_IS_ENABLED(BLK)/ 2018-11-26 21:19:04 +01:00
usb.c usb: s/CONFIG_DM_USB/CONFIG_IS_ENABLED(DM_USB)/ 2018-11-26 21:19:03 +01:00
xyzModem.c xyz-modem: Fix timeout loop waiting with WATCHDOG 2019-01-15 15:28:51 -05:00