From: Mark Tomlinson Date: Tue, 28 Aug 2018 22:51:14 +0000 (+1200) Subject: tools: mkimage: Ensure munmap unmaps the same length that was mapped X-Git-Url: http://git.dujemihanovic.xyz/img/sics.gif?a=commitdiff_plain;h=8961c8ad252b8af887439e4e5c6c1bc0c912f2de;p=u-boot.git tools: mkimage: Ensure munmap unmaps the same length that was mapped The set_header call in kwbimage.c adds a checksum to the end of the image in addition to setting up the header. It 'helpfully' updates the st_size to match the fact that the file is now longer. However, mkimage uses this length in the munmap call. This can lead to unmapping an extra page, of perhaps required data. When this happens, a SEGV can occur. To prevent this from happening, the munmap call now uses the same length that was passed to mmap. This could also have been fixed by not changing the length in kwbimage.c, however changing it in the main file means that other plugins will also not fall for the same trap. Signed-off-by: Mark Tomlinson Signed-off-by: Chris Packham [cp: resolve checkpatch complaints] Tested-by: Chris Packham --- diff --git a/tools/mkimage.c b/tools/mkimage.c index e0d4d20be4..6abd4d6a8b 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -318,6 +318,7 @@ int main(int argc, char **argv) struct image_type_params *tparams = NULL; int pad_len = 0; int dfd; + size_t map_len; params.cmdname = *argv; params.addr = 0; @@ -576,7 +577,8 @@ int main(int argc, char **argv) } params.file_size = sbuf.st_size; - ptr = mmap(0, sbuf.st_size, PROT_READ|PROT_WRITE, MAP_SHARED, ifd, 0); + map_len = sbuf.st_size; + ptr = mmap(0, map_len, PROT_READ | PROT_WRITE, MAP_SHARED, ifd, 0); if (ptr == MAP_FAILED) { fprintf (stderr, "%s: Can't map %s: %s\n", params.cmdname, params.imagefile, strerror(errno)); @@ -600,7 +602,7 @@ int main(int argc, char **argv) params.cmdname, tparams->name); } - (void) munmap((void *)ptr, sbuf.st_size); + (void)munmap((void *)ptr, map_len); /* We're a bit of paranoid */ #if defined(_POSIX_SYNCHRONIZED_IO) && \