From: Marek Vasut Date: Mon, 29 May 2023 12:04:06 +0000 (+0200) Subject: spl: spl_legacy: Add extra address checks X-Git-Tag: v2025.01-rc5-pxa1908~971^2~2 X-Git-Url: http://git.dujemihanovic.xyz/img/static/%7B%7B?a=commitdiff_plain;h=77aed22b48ab789491cf96cd2ba3128124e51eee;p=u-boot.git spl: spl_legacy: Add extra address checks Check whether the loaded image or entry point does not overlap SPL. Signed-off-by: Marek Vasut --- diff --git a/cmd/Kconfig b/cmd/Kconfig index 365371fb51..02e54f1e50 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -362,7 +362,8 @@ config BOOTM_VXWORKS config SYS_BOOTM_LEN hex "Maximum size of a decompresed OS image" - depends on CMD_BOOTM || CMD_BOOTI || CMD_BOOTZ + depends on CMD_BOOTM || CMD_BOOTI || CMD_BOOTZ || \ + LEGACY_IMAGE_FORMAT || SPL_LEGACY_IMAGE_FORMAT default 0x4000000 if PPC || ARM64 default 0x1000000 if X86 || ARCH_MX6 || ARCH_MX7 default 0x800000 diff --git a/common/spl/spl_legacy.c b/common/spl/spl_legacy.c index 16851c55eb..d34bc5492e 100644 --- a/common/spl/spl_legacy.c +++ b/common/spl/spl_legacy.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include @@ -15,6 +16,22 @@ #define LZMA_LEN (1 << 20) +static void spl_parse_legacy_validate(uintptr_t start, uintptr_t size) +{ + uintptr_t spl_start = (uintptr_t)_start; + uintptr_t spl_end = (uintptr_t)__bss_end; + uintptr_t end = start + size; + + if ((start >= spl_start && start < spl_end) || + (end > spl_start && end <= spl_end) || + (start < spl_start && end >= spl_end) || + (start > end && end > spl_start)) + panic("SPL: Image overlaps SPL\n"); + + if (size > CONFIG_SYS_BOOTM_LEN) + panic("SPL: Image too large\n"); +} + int spl_parse_legacy_header(struct spl_image_info *spl_image, const struct legacy_img_hdr *header) { @@ -58,6 +75,9 @@ int spl_parse_legacy_header(struct spl_image_info *spl_image, "payload image: %32s load addr: 0x%lx size: %d\n", spl_image->name, spl_image->load_addr, spl_image->size); + spl_parse_legacy_validate(spl_image->load_addr, spl_image->size); + spl_parse_legacy_validate(spl_image->entry_point, 0); + return 0; }