smallsolar/u-boot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bootstage: Fix out-of-bounds read in reloc_bootstage()

Browse Source 
bootstage_get_size() returns the total size of the data structure
including associated records.
When copying from gd->bootstage, only the allocation size of gd->bootstage
must be used. Otherwise too much memory is copied.

This bug caused no harm so far because gd->new_bootstage is always
large enough and reading beyond the allocation length of gd->bootstage
caused no problem due to the U-Boot memory layout.

Fix by using the correct size and perform the initial copy directly
in bootstage_relocate() to have the whole relocation process in the
same function.

Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Richard Weinberger
2024-07-31 18:07:54 +02:00
committed by Tom Rini
parent faf73fb70d
commit 1779a58c66
3 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
common/bootstage.c
View File

@@ -54,12 +54,16 @@ struct bootstage_hdr {
u32 next_id; /* Next ID to use for bootstage */
};
int bootstage_relocate(void)
int bootstage_relocate(void *to)
{
struct bootstage_data *data = gd->bootstage;
struct bootstage_data *data;
int i;
char *ptr;
debug("Copying bootstage from %p to %p\n", gd->bootstage, to);
memcpy(to, gd->bootstage, sizeof(struct bootstage_data));
data = gd->bootstage = to;
/* Figure out where to relocate the strings to */
ptr = (char *)(data + 1);