[PATCH] scripts/imx: fix out-of-bounds access for big DCD tables

From: Uwe Kleine-König <hidden>
Date: 2017-08-04 16:00:24
Subsystem: the rest · Maintainer: Linus Torvalds

add_header_v2 might need a buffer that is bigger than HEADER_LEN
(0x1000) as MAX_DCD * sizeof(u32) (i.e. the maximal size of the dcd
table alone) is already 0x1000. Additionally add_header_v2 adds padding
(usually 0x400) and a struct imx_flash_header_v2 (48). So expand the
buffer size accordingly for v2.

Signed-off-by: Uwe Kleine-König <redacted>
---
 scripts/imx/imx-image.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/scripts/imx/imx-image.c b/scripts/imx/imx-image.c
index dd5799cccc4b..b241e8c4b68e 100644
--- a/scripts/imx/imx-image.c
+++ b/scripts/imx/imx-image.c

@@ -762,10 +762,6 @@ int main(int argc, char *argv[])
 		create_usb_image = 0;
 	}
 
-	buf = calloc(1, HEADER_LEN);
-	if (!buf)
-		exit(1);
-
 	if (data.image_dcd_offset == 0xffffffff) {
 		if (create_usb_image)
 			data.image_dcd_offset = 0x0;

@@ -790,6 +786,10 @@ int main(int argc, char *argv[])
 
 	switch (data.header_version) {
 	case 1:
+		buf = calloc(1, HEADER_LEN);
+		if (!buf)
+			exit(1);
+
 		add_header_v1(&data, buf);
 		if (data.srkfile) {
 			ret = add_srk(buf, data.image_dcd_offset, data.image_load_addr,

@@ -799,6 +799,10 @@ int main(int argc, char *argv[])
 		}
 		break;
 	case 2:
+		buf = calloc(1, data.image_dcd_offset + sizeof(struct imx_flash_header_v2) + MAX_DCD * sizeof(u32));
+		if (!buf)
+			exit(1);
+
 		add_header_v2(&data, buf);
 		break;
 	default:

-- 
2.11.0


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help