From patchwork Thu Mar 15 10:14:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Graf X-Patchwork-Id: 131759 Delivered-To: patch@linaro.org Received: by 10.46.84.17 with SMTP id i17csp909409ljb; Thu, 15 Mar 2018 03:14:30 -0700 (PDT) X-Google-Smtp-Source: AG47ELueMYKgFC6GBrNHgdbJg0GQ34igwbmUrDyC+ki33Rm3bU6Tisp57/qx65WlohFuvJxAkBJ+ X-Received: by 10.80.176.162 with SMTP id j31mr8296920edd.265.1521108870169; Thu, 15 Mar 2018 03:14:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521108870; cv=none; d=google.com; s=arc-20160816; b=0KMR2kM4Lurd7fqivrFSU+wSIK2mU4os+51Ux9sCa+Bbslh+PG1ODtVQObpbWFnYUX RzSYG91xpO04w9NPiqdIVmjDK7qTWlzmxq3grRU45vKqPdox+Un1jHWBs3e1pyxWUHup ZLaQqViI6WTeuFzoOEvPvXEookpSKfpmQ+URtkLX52FAvCJWITt42IiUm8+UfJvfSZEH oXzvbcpzo1+d87DDThW1yOmzDXbzq2X8DkffGLdLQTBKkiGV7yqQf277b/C5hi6u76H+ r63EUlZqy9bf91TXlDxb9SHypKJhFK1DQadaGzsaB6f97z8e2s0q+vKyse6LQpuf4VLb P50w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:cc:message-id:date:to:from :arc-authentication-results; bh=XkJEhFH8y0baDwOhSnLUgOAcoHkR/qudeE/OuQilk9A=; b=xVUCNhj9kBNpZc1nsZe2iksp13vp5uCrWME9Ngc80mLSuz1T8Z/C91ORvwkVRsUDtR 6tAQrJ0OplQZ1HZGprgo/DBILcuK7IlBsygV+4EB3bP+AJWiMPKl410GRRvdnBNG3K8Z feEKPheI6t1sJ+yA+FHsHEm7GzmnrtaLRwjxuz+3F+2hev6qC4MGHvTEMStcguce22UB D3pwMCxB3084LPkvSPtdl9eXpwklF01RwsAm48L1KhsKDYh/UHG0V6vFKowgEkx2wTpx UGUbheftkLtWt1s6BS4m3X5hP+VnXEMcKrkXeEBrEZX2+X4itCqUItDP1RDGhh3DAsIM IZ4g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de Return-Path: Received: from lists.denx.de (dione.denx.de. [81.169.180.215]) by mx.google.com with ESMTP id a10si1483816edh.43.2018.03.15.03.14.29; Thu, 15 Mar 2018 03:14:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) client-ip=81.169.180.215; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by lists.denx.de (Postfix, from userid 105) id 31091C21DB3; Thu, 15 Mar 2018 10:14:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id CC5CAC21CB1; Thu, 15 Mar 2018 10:14:21 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 26EC4C21CB1; Thu, 15 Mar 2018 10:14:21 +0000 (UTC) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) by lists.denx.de (Postfix) with ESMTPS id B0250C21BE5 for ; Thu, 15 Mar 2018 10:14:20 +0000 (UTC) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 3DA14ADFD; Thu, 15 Mar 2018 10:14:20 +0000 (UTC) From: Alexander Graf To: u-boot@lists.denx.de Date: Thu, 15 Mar 2018 11:14:19 +0100 Message-Id: <20180315101419.38387-1-agraf@suse.de> X-Mailer: git-send-email 2.12.3 Cc: Stefan Roese , Michal Simek Subject: [U-Boot] [PATCH] kwbimage: Fix out of bounds access X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" The kwbimage format is reading beyond its header structure if it misdetects a Xilinx Zynq image and tries to read it. Fix it by sanity checking that the header we want to read fits inside our file size. Signed-off-by: Alexander Graf Tested-by: Michal Simek Reviewed-by: Stefan Roese --- tools/kwbimage.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/kwbimage.c b/tools/kwbimage.c index 3ca3b3b4a6..26686ad30f 100644 --- a/tools/kwbimage.c +++ b/tools/kwbimage.c @@ -1616,6 +1616,10 @@ static int kwbimage_verify_header(unsigned char *ptr, int image_size, struct image_tool_params *params) { uint8_t checksum; + size_t header_size = kwbimage_header_size(ptr); + + if (header_size > image_size) + return -FDT_ERR_BADSTRUCTURE; if (!main_hdr_checksum_ok(ptr)) return -FDT_ERR_BADSTRUCTURE;