torvalds/linux
3
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-03-21 23:16:50 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6ac513185c410f9404ff66b920bec137cbc6e543
linux/drivers/mtd/parsers/redboot.c
Finn Thain 8e2f802027 mtd: Avoid boot crash in RedBoot partition table parser 
Given CONFIG_FORTIFY_SOURCE=y and a recent compiler,
commit 439a1bcac6 ("fortify: Use __builtin_dynamic_object_size() when
available") produces the warning below and an oops.

    Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000
    ------------[ cut here ]------------
    WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1
    memcmp: detected buffer overflow: 15 byte read of buffer size 14
    Modules linked in:
    CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE

As Kees said, "'names' is pointing to the final 'namelen' many bytes
of the allocation ... 'namelen' could be basically any length at all.
This fortify warning looks legit to me -- this code used to be reading
beyond the end of the allocation."

Since the size of the dynamic allocation is calculated with strlen()
we can use strcmp() instead of memcmp() and remain within bounds.

Cc: Kees Cook <kees@kernel.org>
Cc: stable@vger.kernel.org
Cc: linux-hardening@vger.kernel.org
Link: https://lore.kernel.org/all/202602151911.AD092DFFCD@keescook/
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Suggested-by: Kees Cook <kees@kernel.org>
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
2026-02-25 17:47:30 +01:00

324 lines
8.2 KiB
C
Raw Blame History

// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Parse RedBoot-style Flash Image System (FIS) tables and
* produce a Linux partition array to match.
*
* Copyright © 2001 Red Hat UK Limited
* Copyright © 2001-2010 David Woodhouse <dwmw2@infradead.org>
*/
#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/init.h>
#include <linux/vmalloc.h>
#include <linux/of.h>
#include <linux/mtd/mtd.h>
#include <linux/mtd/partitions.h>
#include <linux/module.h>
struct fis_image_desc {
unsigned char name[16]; // Null terminated name
u32 flash_base; // Address within FLASH of image
u32 mem_base; // Address in memory where it executes
u32 size; // Length of image
u32 entry_point; // Execution entry point
u32 data_length; // Length of actual data
unsigned char _pad[256 - (16 + 7 * sizeof(u32))];
u32 desc_cksum; // Checksum over image descriptor
u32 file_cksum; // Checksum over image data
};
struct fis_list {
struct fis_image_desc *img;
struct fis_list *next;
};
static int directory = CONFIG_MTD_REDBOOT_DIRECTORY_BLOCK;
module_param(directory, int, 0);
static inline int redboot_checksum(struct fis_image_desc *img)
{
/* RedBoot doesn't actually write the desc_cksum field yet AFAICT */
return 1;
}
static void parse_redboot_of(struct mtd_info *master)
{
struct device_node *np;
struct device_node *npart;
u32 dirblock;
int ret;
np = mtd_get_of_node(master);
if (!np)
return;
npart = of_get_child_by_name(np, "partitions");
if (!npart)
return;
ret = of_property_read_u32(npart, "fis-index-block", &dirblock);
of_node_put(npart);
if (ret)
return;
/*
* Assign the block found in the device tree to the local
* directory block pointer.
*/
directory = dirblock;
}
static int parse_redboot_partitions(struct mtd_info *master,
const struct mtd_partition **pparts,
struct mtd_part_parser_data *data)
{
int nrparts = 0;
struct fis_image_desc *buf;
struct mtd_partition *parts;
struct fis_list *fl = NULL, *tmp_fl;
int ret, i;
size_t retlen;
char *names;
char *nullname;
int namelen = 0;
int nulllen = 0;
int numslots;
unsigned long offset;
#ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
static char nullstring[] = "unallocated";
#endif
parse_redboot_of(master);
if (directory < 0) {
offset = master->size + directory * master->erasesize;
while (mtd_block_isbad(master, offset)) {
if (!offset) {
nogood:
pr_notice("Failed to find a non-bad block to check for RedBoot partition table\n");
return -EIO;
}
offset -= master->erasesize;
}
} else {
offset = (unsigned long) directory * master->erasesize;
while (mtd_block_isbad(master, offset)) {
offset += master->erasesize;
if (offset == master->size)
goto nogood;
}
}
buf = vmalloc(master->erasesize);
if (!buf)
return -ENOMEM;
pr_notice("Searching for RedBoot partition table in %s at offset 0x%lx\n",
master->name, offset);
ret = mtd_read(master, offset, master->erasesize, &retlen,
(void *)buf);
if (ret)
goto out;
if (retlen != master->erasesize) {
ret = -EIO;
goto out;
}
numslots = (master->erasesize / sizeof(struct fis_image_desc));
for (i = 0; i < numslots; i++) {
if (!memcmp(buf[i].name, "FIS directory", 14)) {
/* This is apparently the FIS directory entry for the
* FIS directory itself. The FIS directory size is
* one erase block; if the buf[i].size field is
* swab32(erasesize) then we know we are looking at
* a byte swapped FIS directory - swap all the entries!
* (NOTE: this is 'size' not 'data_length'; size is
* the full size of the entry.)
*/
/* RedBoot can combine the FIS directory and
config partitions into a single eraseblock;
we assume wrong-endian if either the swapped
'size' matches the eraseblock size precisely,
or if the swapped size actually fits in an
eraseblock while the unswapped size doesn't. */
if (swab32(buf[i].size) == master->erasesize ||
(buf[i].size > master->erasesize
&& swab32(buf[i].size) < master->erasesize)) {
int j;
/* Update numslots based on actual FIS directory size */
numslots = swab32(buf[i].size) / sizeof(struct fis_image_desc);
for (j = 0; j < numslots; ++j) {
/* A single 0xff denotes a deleted entry.
* Two of them in a row is the end of the table.
*/
if (buf[j].name[0] == 0xff) {
if (buf[j].name[1] == 0xff) {
break;
} else {
continue;
}
}
/* The unsigned long fields were written with the
* wrong byte sex, name and pad have no byte sex.
*/
swab32s(&buf[j].flash_base);
swab32s(&buf[j].mem_base);
swab32s(&buf[j].size);
swab32s(&buf[j].entry_point);
swab32s(&buf[j].data_length);
swab32s(&buf[j].desc_cksum);
swab32s(&buf[j].file_cksum);
}
} else if (buf[i].size < master->erasesize) {
/* Update numslots based on actual FIS directory size */
numslots = buf[i].size / sizeof(struct fis_image_desc);
}
break;
}
}
if (i == numslots) {
/* Didn't find it */
pr_notice("No RedBoot partition table detected in %s\n",
master->name);
ret = 0;
goto out;
}
for (i = 0; i < numslots; i++) {
struct fis_list *new_fl, **prev;
if (buf[i].name[0] == 0xff) {
if (buf[i].name[1] == 0xff) {
break;
} else {
continue;
}
}
if (!redboot_checksum(&buf[i]))
break;
new_fl = kmalloc_obj(struct fis_list);
namelen += strlen(buf[i].name) + 1;
if (!new_fl) {
ret = -ENOMEM;
goto out;
}
new_fl->img = &buf[i];
if (data && data->origin)
buf[i].flash_base -= data->origin;
else
buf[i].flash_base &= master->size - 1;
/* I'm sure the JFFS2 code has done me permanent damage.
* I now think the following is _normal_
*/
prev = &fl;
while (*prev && (*prev)->img->flash_base < new_fl->img->flash_base)
prev = &(*prev)->next;
new_fl->next = *prev;
*prev = new_fl;
nrparts++;
}
#ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
if (fl->img->flash_base) {
nrparts++;
nulllen = sizeof(nullstring);
}
for (tmp_fl = fl; tmp_fl->next; tmp_fl = tmp_fl->next) {
if (tmp_fl->img->flash_base + tmp_fl->img->size + master->erasesize <= tmp_fl->next->img->flash_base) {
nrparts++;
nulllen = sizeof(nullstring);
}
}
#endif
parts = kzalloc(sizeof(*parts) * nrparts + nulllen + namelen, GFP_KERNEL);
if (!parts) {
ret = -ENOMEM;
goto out;
}
nullname = (char *)&parts[nrparts];
#ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
if (nulllen > 0)
strcpy(nullname, nullstring);
#endif
names = nullname + nulllen;
i = 0;
#ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
if (fl->img->flash_base) {
parts[0].name = nullname;
parts[0].size = fl->img->flash_base;
parts[0].offset = 0;
i++;
}
#endif
for ( ; i < nrparts; i++) {
parts[i].size = fl->img->size;
parts[i].offset = fl->img->flash_base;
parts[i].name = names;
strcpy(names, fl->img->name);
#ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY
if (!strcmp(names, "RedBoot") ||
!strcmp(names, "RedBoot config") ||
!strcmp(names, "FIS directory")) {
parts[i].mask_flags = MTD_WRITEABLE;
}
#endif
names += strlen(names) + 1;
#ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED
if (fl->next && fl->img->flash_base + fl->img->size + master->erasesize <= fl->next->img->flash_base) {
i++;
parts[i].offset = parts[i - 1].size + parts[i - 1].offset;
parts[i].size = fl->next->img->flash_base - parts[i].offset;
parts[i].name = nullname;
}
#endif
tmp_fl = fl;
fl = fl->next;
kfree(tmp_fl);
}
ret = nrparts;
*pparts = parts;
out:
while (fl) {
struct fis_list *old = fl;
fl = fl->next;
kfree(old);
}
vfree(buf);
return ret;
}
static const struct of_device_id mtd_parser_redboot_of_match_table[] = {
{ .compatible = "redboot-fis" },
{},
};
MODULE_DEVICE_TABLE(of, mtd_parser_redboot_of_match_table);
static struct mtd_part_parser redboot_parser = {
.parse_fn = parse_redboot_partitions,
.name = "RedBoot",
.of_match_table = mtd_parser_redboot_of_match_table,
};
module_mtd_part_parser(redboot_parser);
/* mtd parsers will request the module by parser name */
MODULE_ALIAS("RedBoot");
MODULE_LICENSE("GPL");
MODULE_AUTHOR("David Woodhouse <dwmw2@infradead.org>");
MODULE_DESCRIPTION("Parsing code for RedBoot Flash Image System (FIS) tables");
Reference in New Issue View Git Blame Copy Permalink