squashfs: Fix heap corruption in sqfs_search_dir()
res needs to be large enough to store both strings rem and target,
plus the path separator and the terminator.
Currently the space for the path separator is not accounted, so
the heap is corrupted by one byte.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
squashfs: Fix stack overflow while symlink resolving
The squashfs driver blindly follows symlinks, and calls sqfs_size()
recursively. So an attacker can create a crafted filesystem and with
a deep enough nesting level a stack overflow can be achieved.
Fix by limiting the nesting level to 8.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
squashfs: Fix integer overflow in sqfs_inode_size()
A carefully crafted squashfs filesystem can exhibit an extremly large
inode size and overflow the calculation in sqfs_inode_size().
As a consequence, the squashfs driver will read from wrong locations.
Fix by using __builtin_add_overflow() to detect the overflow.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
squashfs: Fix integer overflow in sqfs_resolve_symlink()
A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
as a consequence malloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
dlmalloc: Make sure allocation size is within malloc area
Since U-Boot does not support memory overcommit we can
enforce that the allocation size is within the malloc area.
This is a simple and efficient hardening measure to mitigate
further integer overflows in dlmalloc.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>
Make sure that the new break is within mem_malloc_start
and mem_malloc_end before making progress.
ulong new = old + increment; can overflow for extremely large
increment values and memset() can get wrongly called.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>
req is of type size_t, casting it to long opens the door
for an integer overflow.
Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
cause and overflow such that request2size() returns MINSIZE.
Fix by removing the cast.
The origin of the cast is unclear, it's in u-boot and ppcboot since ever
and predates the CVS history.
Doug Lea's original dlmalloc implementation also doesn't have it.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>
sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
by LONG_MIN/LONG_MAX.
So, use the long type, also to match the rest of the Linux ecosystem.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>
bootstage: Fix out-of-bounds read in reloc_bootstage()
bootstage_get_size() returns the total size of the data structure
including associated records.
When copying from gd->bootstage, only the allocation size of gd->bootstage
must be used. Otherwise too much memory is copied.
This bug caused no harm so far because gd->new_bootstage is always
large enough and reading beyond the allocation length of gd->bootstage
caused no problem due to the U-Boot memory layout.
Fix by using the correct size and perform the initial copy directly
in bootstage_relocate() to have the whole relocation process in the
same function.
Signed-off-by: Richard Weinberger <richard@nod.at> Reviewed-by: Simon Glass <sjg@chromium.org>
Evaluate the filesystem incompat and ro_compat bit fields to judge
whether the filesystem can be read or written.
For the read side only a scary warning is shown so far.
I'd love to abort mounting too, but I fear this will break some setups
where the driver works by chance.
Signed-off-by: Richard Weinberger <richard@nod.at>
Do not load and flush segments whose program header type is not
PT_LOAD to avoid crash happen.
bootelf will load all program headers and then flush cache.
Since PT_GNU_STACK start address is 0x0, crash happens when
it flushes PT_GNU_STACK area for target that memory cannot be
accessed from address 0x0.
crash call stack:
====================================================================
bootelf -p
|-> do_bootelf (cmd/elf.c)
|-> load_elf_image_phdr (lib/elf.c) /* Load each program header */
|-> for (i = 0; i < ehdr->e_phnum; ++i) { /* e_phnum is 2 */
|-> flush_cache(start=0, size=0) (arch/arm/lib/cache.c) (*1)
|-> flush_dcache_range(start=0, 0); (arch/arm/cpu/armv8/cache_v8.c)
|-> __asm_flush_dcache_range(start=0, 0) (arch/arm/cpu/armv8/cache.S)
|-> /* clean & invalidate data or unified cache */
|-> dc civac, x0 <<== crash happen x0:start=0
====================================================================
*1 Here the p_paddr and p_filesz of the GNU_STACK program are 0.
hello_world elf image program headers
====================================================================
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000080ff0000 0x0000000080ff0000
0x0000000000010390 0x0000000000010390 R E 0x10000
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x10
Sean Anderson [Sat, 10 Aug 2024 13:59:37 +0000 (09:59 -0400)]
pinmux: generic: Use ENOENT instead of ENOSYS
ENOSYS should only be used when a subsystem is completely absent.
Convert its use in pinctrl-generic to ENOENT, which better reflects the
error condition (that a function/group/pin is missing).
Signed-off-by: Sean Anderson <seanga2@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org>
Ravi Minnikanti [Sun, 11 Aug 2024 18:44:15 +0000 (11:44 -0700)]
env: remove vars that are not in default env
current env_set_default_vars() doesn't delete
var that are not in the imported env. hashtable
removes vars that are not in the imported
env but present in the current env only if H_NOCLEAR
flag is not set.
This change is to avoid passing H_NOCLEAR flag if
specific vars are passed to env_set_default_vars()
Without this change:
Marvell>> env default boot_mode
Marvell>>
With the change:
Marvell>> env default boot_mode
WARNING: 'boot_mode' not in imported env, deleting it!
Signed-off-by: Ravi Minnikanti <rminnikanti@marvell.com> Reviewed-by: Simon Glass <sjg@chromium.org>
Yasuharu Shibata [Wed, 14 Aug 2024 12:41:07 +0000 (21:41 +0900)]
sandbox: fix wget test failure after fixing wget issue
After applying the following patch, wget test on sandbox failed[1].
Commit: cab7867cff ("net: wget: Support retransmission a dropped packet")
Here are two reasons why the test is failed and how to fix it:
1. tcp_ack is calculated by the wrong value.
tcp_ack needs to be calculated by the received TCP payload size.
2. wget command may have a problem that HTTP response from server
must be divided into more than two packets.
In this commit, HTTP response is divided into two packets.
In addition, I fixed the HTTP response returned at the correct timing.
cmd: led: fix led command usage for the LED_SW_BLINK enabled case
CONFIG_LED_BLINK and CONFIG_LED_SW_BLINK can be defined independently.
Led blinking works if any (or both) of them is enabled. Unfortunately
the led command help does not display blinking option if only
CONFIG_LED_SW_BLINK is enabled. This is definitely wrong.
This patch fix an issue.
Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu> Reviewed-by: Simon Glass <sjg@chromium.org> Acked-by: Alexander Dahl <ada@thorsis.com>
spi: soft_spi: Parse cs-gpios only if num-chipselects is not <0>
Some boards don't have chipselect lines for leds so cs-gpios is not
specified in the dts leading to probing error. Fix it by making
behavior similar to the one in Linux, parse num-chipselects and
if it is zero, ignore cs-gpios.
Signed-off-by: Michael Polyntsov <michael.polyntsov@iopsys.eu> Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Simon Glass [Sun, 11 Aug 2024 14:50:34 +0000 (08:50 -0600)]
armv8: ls2085a: Drop CMD_DATE
These boards use pre-driver model code and it is several years since the
migration deadline. Disable the 'date' command so that this old code can
be removed.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heiko Schocher <hs@denx.de>
Simon Glass [Sun, 11 Aug 2024 14:50:33 +0000 (08:50 -0600)]
mips: malta: Drop CMD_DATE
These boards use pre-driver model code and it is several years since the
migration deadline. Disable the 'date' command so that this old code can
be removed.
Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heiko Schocher <hs@denx.de>
Tom Rini [Fri, 9 Aug 2024 22:03:21 +0000 (16:03 -0600)]
Merge patch series "Universal Payload initial series"
Simon Glass <sjg@chromium.org> says:
Universal Payload (UPL) is an Industry Standard for firmware
components[1]. UPL is designed to improve interoperability within the
firmware industry, allowing mixing and matching of projects with less
friction and fewer project-specific implementations. UPL is
cross-platform, supporting ARM, x86 and RISC-V initially.
This series provides some initial support for this, targeting 0.9.1 and
sandbox only.
Features still to come include:
- Support for architectures
- FIT validation
- Handoff validation
- Interoperability tests
Simon Glass [Wed, 7 Aug 2024 22:47:39 +0000 (16:47 -0600)]
upl: Add an end-to-end test
Now that sandbox_vpl supports UPL, add a test that checks that the
payload can be loaded by SPL and the handoff information passed through
to U-Boot proper.
Simon Glass [Wed, 7 Aug 2024 22:47:28 +0000 (16:47 -0600)]
upl: Add support for writing a upl handoff
Universal Payload provides a standard way of handing off control between
two firmware phases. Add support for writing the handoff information from
a structure.
Simon Glass [Wed, 7 Aug 2024 22:47:27 +0000 (16:47 -0600)]
upl: Add support for reading a upl handoff
Universal Payload provides a standard way of handing off control between
two firmware phases. Add support for reading the handoff information into
a structure.
Simon Glass [Wed, 7 Aug 2024 22:47:26 +0000 (16:47 -0600)]
sandbox: Set up global_data earlier
It is possible for U-Boot functions such as printf() to be called
within state_init(). This can end up checking gd->flags (e.g. in putc())
before global_data is set up.
Move the setup earlier to avoid this. This fixes the suppression of some
debug output in memory allocation (when enabled).
Simon Glass [Wed, 7 Aug 2024 22:47:24 +0000 (16:47 -0600)]
sandbox: Return error code from read/write/seek
The existing API for these functions is different from the rest of
U-Boot, in that any error code must be obtained from the errno variable
on failure. This variable is part of the C library, so accessing it
outside of the special 'sandbox' shim-functions is not ideal.
Adjust the API to return an error code, to avoid this. Update existing
uses to check for any negative value, rather than just -1.
Simon Glass [Wed, 7 Aug 2024 22:47:23 +0000 (16:47 -0600)]
sandbox: fdt: Avoid overwriting an existing fdt
Since the removal of OF_HOSTFILE logic in board_fdt_blob_setup(), the
logic for obtaining the DT is handled in the OF_BOARD option. If a
devicetree comes from a bloblist it is immediately overwritten by this
function.
Fix this by skipping the function if a devicetree is already present.
This is sort-of a fix for e7fb7896 ("sandbox: Remove OF_HOSTFILE") but
it has only come to light since bloblist was added, so I have not added
a Fixes tag.
Unfortunately it is not possible to report the correct FDT source with
the current code. It might be best to use an error-return code for
board_fdt_blob_setup() so that an error can be reported if the board
does not provide the DT.
Tom Rini [Wed, 7 Aug 2024 14:49:18 +0000 (08:49 -0600)]
Merge patch series "alist: Implement a pointer list / array of structs"
Simon Glass <sjg@chromium.org> says:
This data structure provides a list of pointers / array of structures.
I was planning to use it for the lmb restructure, to allow it to
support any number of entries, but then I gave up on it.
There are quite a few places in U-Boot where such a list would be
useful, since it supports growing the array.
Simon Glass [Tue, 30 Jul 2024 14:39:37 +0000 (08:39 -0600)]
alist: Add support for an allocated pointer list
In various places it is useful to have an array of structures, but allow
it to grow. In some cases we work around it by setting maximum number of
entries, using a Kconfig option. In other places we use a linked list,
which does not provide for random access and can complicate the code.
Introduce a new data structure, which is a variable-sized list of structs
each of the same, pre-set size. It provides O(1) access and is reasonably
efficient at expanding linearly, since it doubles in size when it runs out
of space.
Simon Glass [Tue, 30 Jul 2024 14:39:35 +0000 (08:39 -0600)]
malloc: Support testing with realloc()
At present in tests it is possible to cause an out-of-memory condition
with malloc() but not realloc(). Add support to realloc() too, so code
which uses that function can be tested.
omap3: sniper: Convert to device-tree control and DM I2C
This converts the sniper board (LG P970) to device-tree control
and DM I2C, both for SPL and U-Boot.
Note that we lose the call to board_mmc_power_init to enable power
for MMC2. This is now expected to take place through proper
regulators, which are not yet available with the twl4030 driver.
The call to twl4030_power_mmc_init is moved to spl_board_init for now.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr>
am33xx: Use regular spl_board_init instead of am33xx_spl_board_init
The am33xx_spl_board_init function was introduced as a way to add
board-specific SPL init for AM33xx devices since the spl_board_init
function was already used for SoC-specific init.
Now that the SoC-specific SPL init was moved to spl_soc_init, we can
use spl_board_init for this purpose and get rid of
am33xx_spl_board_init.
Rename the function in board files and enable the related config
option for concerned boards.
Signed-off-by: Paul Kocialkowski <paulk@sys-base.io> Reviewed-by: Tom Rini <trini@konsulko.com>
Both spl_board_init and spl_soc_init are available as ways to run
specific code in the SPL's board_init_r. Use the former for init
code that is specific to the SoC and leave spl_board_init available
for boards to use.
Signed-off-by: Paul Kocialkowski <paulk@sys-base.io> Reviewed-by: Tom Rini <trini@konsulko.com>
Tom Rini [Wed, 7 Aug 2024 00:33:08 +0000 (18:33 -0600)]
Merge patch series "omap configuration cleanups"
Paul Kocialkowski <paulk@sys-base.io> says:
Here is a bunch of configuration cleanups for OMAP boards, mostly
unifying and moving common configuration from board-specific defconfigs
to Kconfig definitions.
There's also a cleanup of the sniper (LG Optimus Black) defconfig,
prior to migrating it to DM/DT in a future follow-up series.
Remove custom config options that are not particularly necessary.
Align them with OMAP3 defaults used on other boards (especially for
memory locations).
Also enable Thumb build to reduce the SPL size and remove the custom
prompt text.
This makes the config a lot more minimalistic, maintainable and easier
to read.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
dra7xx: Remove explicit DRAM banks number from defconfigs
The common EMIF init code used for DRA7xx does not explicitly fill
the gd->bd->bi_dram entries (like OMAP3 does), so there is no reason
to set an explicit number of DRAM banks which doesn't correspond to
anything in particular.
Remove the CONFIG_NR_DRAM_BANKS option from the concerned defconfigs.
The dram_init_banksize default implementation will be fine with the
default value for the config option.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
omap3: Define DRAM banks number in Kconfig instead of defconfigs
The number of DRAM banks was defined to the same value in each OMAP3
board defconfig, which is expected and hardcoded in the code. Move the
common definition to the Kconfig option declaration instead.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
omap3: Define maximum SPL size in Kconfig instead of defconfigs
The maximum SPL size was defined to the same value in each OMAP3
board defconfig. Move the common definition to the Kconfig option
declaration instead.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
omap3: Define maximum U-Boot size in Kconfig instead of defconfigs
The maximum U-Boot size was defined to the same value in each OMAP3
board defconfig. Move the common definition to the Kconfig option
declaration instead.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
dra7xx: Define common init stack pointer address in Kconfig
The init stack pointer was defined to the same value in each DRA7xx
board defconfig. Move the common definition to the Kconfig option
declaration instead.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
dra7xx: Unify init stack pointer address across boards
The DRA7xx EVM board use a slightly different init stack pointer
address compared to the AM57xx EVM board, for no particular reason.
Align the address with the AM57xx EVM board (which matches the usual
offset to the end of SRAM used by other OMAP devices) prior to removing
it as a per-board option in a later commit.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
am43xx: Define common init stack pointer address in Kconfig
The init stack pointer was defined to the same value in each AM43xx
board defconfig. Move the common definition to the Kconfig option
declaration instead.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
am33xx: Define common init stack pointer address in Kconfig
The init stack pointer was defined to the same value in each AM33xx
board defconfig. Move the common definition to the Kconfig option
declaration instead.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
am33xx: Unify init stack pointer address across boards
The AM33xx chiliboard and guardian boards use a slightly different
init stack pointer address compared to other AM33xx boards, for no
particular reason.
Align the address with other AM33xx boards prior to removing it as a
per-board option in a later commit.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
omap3: Define common init stack pointer address in Kconfig
The init stack pointer was defined to the same value in each OMAP3
board defconfig. Move the common definition to the Kconfig option
declaration instead.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
omap3: Define common SPL text base in Kconfig instead of defconfigs
The SPL text base was defined to the same value in each OMAP3 board
defconfig. Move the common definition to the Kconfig option
declaration instead.
Signed-off-by: Paul Kocialkowski <contact@paulk.fr> Tested-by: Adam Ford <aford173@gmail.com> #am3517-evm Reviewed-by: Tom Rini <trini@konsulko.com> Tested-by: Derald D. Woods <woods.technical@gmail.com>
Tom Rini [Mon, 5 Aug 2024 18:15:44 +0000 (12:15 -0600)]
Merge patch series "Bug-fixes for a few boards"
Simon Glass <sjg@chromium.org> says:
This series includes fixes to get some rockchip and nvidia boards
working again. It also drops the broken Beaglebone Black config and
provides a devicetree fix for coral (x86).
Simon Glass [Thu, 1 Aug 2024 12:47:23 +0000 (06:47 -0600)]
rockchip: Avoid #ifdefs in RK3399 SPL
The code here is confusing due to large blocks which are #ifdefed out.
Add a function phase_sdram_init() which returns whether SDRAM init
should happen in the current phase, using that as needed to control the
code flow.
This increases code size by about 500 bytes in SPL when the cache is on,
since it must call the rather large rockchip_sdram_size() function.
Simon Glass [Wed, 31 Jul 2024 14:49:05 +0000 (08:49 -0600)]
fdt: Correct condition for bloblist existing
On some boards, the bloblist is created in SPL once SDRAM is ready. It
cannot be accessed until that point, so is not available early in SPL.
Add a condition to avoid a hang in this case.
This fixes a hang in chromebook_coral
Fixes: 70fe2385943 ("fdt: Allow the devicetree to come from a bloblist") Signed-off-by: Simon Glass <sjg@chromium.org> Acked-by: Raymond Mao <raymond.mao@linaro.org>