From 4e75a27a5f31d4cbf72793f0ccd3bd4011829524 Mon Sep 17 00:00:00 2001
From: Andrew Jeffery <andrew@aj.id.au>
Date: Thu, 14 Mar 2019 17:24:38 +1030
Subject: [PATCH] vpnor: Test if HBB placement exceeds reserved memory bounds

If a host firmware image is provided where the placement of HBB exceeds
the reserved memory size then an out-of-bounds write would occur.

Change-Id: I0a98cb7417511cc8dd5bd2e12c9232ebc912dcd6
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
---
 vpnor/mboxd_pnor_partition_table.cpp | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/vpnor/mboxd_pnor_partition_table.cpp b/vpnor/mboxd_pnor_partition_table.cpp
index 9a82151..a6ebd4e 100644
--- a/vpnor/mboxd_pnor_partition_table.cpp
+++ b/vpnor/mboxd_pnor_partition_table.cpp
@@ -100,16 +100,20 @@ int vpnor_copy_bootloader_partition(const struct mbox_context* context)
 
         size_t tocOffset = 0;
 
-        // Copy TOC
-        flash_copy(&local, tocOffset,
-                   static_cast<uint8_t*>(context->mem) + tocStart,
-                   blTable.capacity());
         const pnor_partition& partition = blTable.partition(blPartitionName);
         size_t hbbOffset = partition.data.base * eraseSize;
         uint32_t hbbSize = partition.data.actual;
-        // Copy HBB
-        flash_copy(&local, hbbOffset,
-                   static_cast<uint8_t*>(context->mem) + hbbOffset, hbbSize);
+
+        if (context->mem_size < tocStart + blTable.capacity() ||
+            context->mem_size < hbbOffset + hbbSize)
+        {
+            MSG_ERR("Reserved memory too small for dumb bootstrap\n");
+            return -EINVAL;
+        }
+
+        uint8_t* buf8 = static_cast<uint8_t*>(context->mem);
+        flash_copy(&local, tocOffset, buf8 + tocStart, blTable.capacity());
+        flash_copy(&local, hbbOffset, buf8 + hbbOffset, hbbSize);
     }
     catch (err::InternalFailure& e)
     {
-- 
2.30.2