Eric Lee / smarc-uboot

Download as
Browse Code ยป

Commit 67cd4a63487400317f1586b130bc2475767a5315

Authored by Marek Vasut
Committed by Tom Rini
1 parent 301e803867
Exists in master and in 53 other branches 8qm-imx_v2020.04_5.4.70_2.3.0, emb_lf_v2022.04, imx_v2015.04_4.1.15_1.0.0_ga, pitx_8mp_lf_v2020.04, smarc-8m-android-10.0.0_2.6.0, smarc-8m-android-11.0.0_2.0.0, smarc-8mp-android-11.0.0_2.0.0, smarc-emmc-imx_v2014.04_3.10.53_1.1.0_ga, smarc-emmc-imx_v2014.04_3.14.28_1.0.0_ga, smarc-imx-l5.0.0_1.0.0-ga, smarc-imx6_v2018.03_4.14.98_2.0.0_ga, smarc-imx7_v2017.03_4.9.11_1.0.0_ga, smarc-imx7_v2018.03_4.14.98_2.0.0_ga, smarc-imx_v2014.04_3.14.28_1.0.0_ga, smarc-imx_v2015.04_4.1.15_1.0.0_ga, smarc-imx_v2017.03_4.9.11_1.0.0_ga, smarc-imx_v2017.03_4.9.88_2.0.0_ga, smarc-imx_v2017.03_o8.1.0_1.3.0_8m, smarc-imx_v2018.03_4.14.78_1.0.0_ga, smarc-m6.0.1_2.1.0-ga, smarc-n7.1.2_2.0.0-ga, smarc-rel_imx_4.1.15_2.0.0_ga, smarc_8m-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8m-imx_v2019.04_4.19.35_1.1.0, smarc_8m_00d0-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8mm-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8mm-imx_v2019.04_4.19.35_1.1.0, smarc_8mm-imx_v2020.04_5.4.24_2.1.0, smarc_8mp_lf_v2020.04, smarc_8mq-imx_v2020.04_5.4.24_2.1.0, smarc_8mq_lf_v2020.04, ti-u-boot-2015.07, v2013.10, v2013.10-smarct33, v2013.10-smartmen, v2014.01, v2014.04, v2014.04-smarct33, v2014.04-smarct33-emmc, v2014.04-smartmen, v2014.07, v2014.07-smarct33, v2014.07-smartmen, v2015.07-smarct33, v2015.07-smarct33-emmc, v2015.07-smarct4x, v2016.05-dlt, v2016.05-smarct3x, v2016.05-smarct3x-emmc, v2016.05-smarct4x, v2017.01-smarct3x, v2017.01-smarct3x-emmc, v2017.01-smarct4x

disk: Fix possible out-of-bounds access in part_efi.c 

Make sure to never access beyond bounds of either EFI partition name
or DOS partition name. This situation is happening:

part.h:     disk_partition_t->name is 32-byte long
part_efi.h: gpt_entry->partition_name is 36-bytes long

The loop in part_efi.c copies over 36 bytes and thus accesses beyond
the disk_partition_t->name .

Fix this by picking the shortest of source and destination arrays and
make sure the destination array is cleared so the trailing bytes are
zeroed-out and don't cause issues with string manipulation.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Simon Glass <sjg@chromium.org>

Showing 1 changed file with 8 additions and 3 deletions Side-by-side Diff

... ... @@ -372,7 +372,7 @@
372 372 u32 offset = (u32)le32_to_cpu(gpt_h->first_usable_lba);
373 373 ulong start;
374 374 int i, k;
375   - size_t name_len;
  375 + size_t efiname_len, dosname_len;
376 376 #ifdef CONFIG_PARTITION_UUIDS
377 377 char *str_uuid;
378 378 #endif
379 379  
... ... @@ -420,9 +420,14 @@
420 420 sizeof(gpt_entry_attributes));
421 421  
422 422 /* partition name */
423   - name_len = sizeof(gpt_e[i].partition_name)
  423 + efiname_len = sizeof(gpt_e[i].partition_name)
424 424 / sizeof(efi_char16_t);
425   - for (k = 0; k < name_len; k++)
  425 + dosname_len = sizeof(partitions[i].name);
  426 +
  427 + memset(gpt_e[i].partition_name, 0,
  428 + sizeof(gpt_e[i].partition_name));
  429 +
  430 + for (k = 0; k < min(dosname_len, efiname_len); k++)
426 431 gpt_e[i].partition_name[k] =
427 432 (efi_char16_t)(partitions[i].name[k]);
428 433