Commit 4e75a27a authored by Andrew Jeffery's avatar Andrew Jeffery

vpnor: Test if HBB placement exceeds reserved memory bounds

If a host firmware image is provided where the placement of HBB exceeds
the reserved memory size then an out-of-bounds write would occur.

Change-Id: I0a98cb7417511cc8dd5bd2e12c9232ebc912dcd6
Signed-off-by: Andrew Jeffery's avatarAndrew Jeffery <andrew@aj.id.au>
parent 2dfc2a22
...@@ -100,16 +100,20 @@ int vpnor_copy_bootloader_partition(const struct mbox_context* context) ...@@ -100,16 +100,20 @@ int vpnor_copy_bootloader_partition(const struct mbox_context* context)
size_t tocOffset = 0; size_t tocOffset = 0;
// Copy TOC
flash_copy(&local, tocOffset,
static_cast<uint8_t*>(context->mem) + tocStart,
blTable.capacity());
const pnor_partition& partition = blTable.partition(blPartitionName); const pnor_partition& partition = blTable.partition(blPartitionName);
size_t hbbOffset = partition.data.base * eraseSize; size_t hbbOffset = partition.data.base * eraseSize;
uint32_t hbbSize = partition.data.actual; uint32_t hbbSize = partition.data.actual;
// Copy HBB
flash_copy(&local, hbbOffset, if (context->mem_size < tocStart + blTable.capacity() ||
static_cast<uint8_t*>(context->mem) + hbbOffset, hbbSize); context->mem_size < hbbOffset + hbbSize)
{
MSG_ERR("Reserved memory too small for dumb bootstrap\n");
return -EINVAL;
}
uint8_t* buf8 = static_cast<uint8_t*>(context->mem);
flash_copy(&local, tocOffset, buf8 + tocStart, blTable.capacity());
flash_copy(&local, hbbOffset, buf8 + hbbOffset, hbbSize);
} }
catch (err::InternalFailure& e) catch (err::InternalFailure& e)
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment