diff options
author | Andrew Jeffery <andrew@aj.id.au> | 2019-03-14 17:24:38 +1030 |
---|---|---|
committer | Andrew Jeffery <andrew@aj.id.au> | 2019-03-18 10:45:41 +1030 |
commit | 4e75a27a5f31d4cbf72793f0ccd3bd4011829524 (patch) | |
tree | cc3e180d5a10bd790c7c67e3deca88da05748652 | |
parent | 2dfc2a22a26b8726b1da336e952c3d05ebe02aed (diff) | |
download | phosphor-mboxbridge-4e75a27a5f31d4cbf72793f0ccd3bd4011829524.tar.gz phosphor-mboxbridge-4e75a27a5f31d4cbf72793f0ccd3bd4011829524.zip |
vpnor: Test if HBB placement exceeds reserved memory bounds
If a host firmware image is provided where the placement of HBB exceeds
the reserved memory size then an out-of-bounds write would occur.
Change-Id: I0a98cb7417511cc8dd5bd2e12c9232ebc912dcd6
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
-rw-r--r-- | vpnor/mboxd_pnor_partition_table.cpp | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/vpnor/mboxd_pnor_partition_table.cpp b/vpnor/mboxd_pnor_partition_table.cpp index 9a82151..a6ebd4e 100644 --- a/vpnor/mboxd_pnor_partition_table.cpp +++ b/vpnor/mboxd_pnor_partition_table.cpp @@ -100,16 +100,20 @@ int vpnor_copy_bootloader_partition(const struct mbox_context* context) size_t tocOffset = 0; - // Copy TOC - flash_copy(&local, tocOffset, - static_cast<uint8_t*>(context->mem) + tocStart, - blTable.capacity()); const pnor_partition& partition = blTable.partition(blPartitionName); size_t hbbOffset = partition.data.base * eraseSize; uint32_t hbbSize = partition.data.actual; - // Copy HBB - flash_copy(&local, hbbOffset, - static_cast<uint8_t*>(context->mem) + hbbOffset, hbbSize); + + if (context->mem_size < tocStart + blTable.capacity() || + context->mem_size < hbbOffset + hbbSize) + { + MSG_ERR("Reserved memory too small for dumb bootstrap\n"); + return -EINVAL; + } + + uint8_t* buf8 = static_cast<uint8_t*>(context->mem); + flash_copy(&local, tocOffset, buf8 + tocStart, blTable.capacity()); + flash_copy(&local, hbbOffset, buf8 + hbbOffset, hbbSize); } catch (err::InternalFailure& e) { |