[Skiboot] [PATCH] libflash: Add sanity checks to ffs init code.
Cyril Bur
cyril.bur at au1.ibm.com
Tue Jul 5 16:12:47 AEST 2016
Quite a lot of code relies on values read from flash. These values
shouldn't be totally trusted without at least basic sanity checks.
Fixes coverity bug: 119719
Signed-off-by: Cyril Bur <cyril.bur at au1.ibm.com>
---
libflash/libffs.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/libflash/libffs.c b/libflash/libffs.c
index 4d57992..8134962 100644
--- a/libflash/libffs.c
+++ b/libflash/libffs.c
@@ -137,11 +137,33 @@ int ffs_init(uint32_t offset, uint32_t max_size, struct blocklevel_device *bl,
goto out;
}
+ /* Check header is sane */
+ if ((f->hdr.block_size * f->hdr.size) > max_size) {
+ rc = FLASH_ERR_PARM_ERROR;
+ FL_ERR("FFS: Flash header exceeds max flash size\n");
+ goto out;
+ }
+
+ if ((f->hdr.entry_size * f->hdr.entry_count) >
+ (f->hdr.block_size * f->hdr.size)) {
+ rc = FLASH_ERR_PARM_ERROR;
+ FL_ERR("FFS: Flash header entries exceeds available blocks\n");
+ goto out;
+ }
+
/*
* Decide how much of the image to grab to get the whole
* partition map.
*/
f->cached_size = f->hdr.block_size * f->hdr.size;
+ /* Check for overflow or a silly size */
+ if (!f->hdr.size || f->cached_size / f->hdr.size != f->hdr.block_size) {
+ rc= FLASH_ERR_MALLOC_FAILED;
+ FL_ERR("FFS: Cache size overflow (0x%x * 0x%x)\n",
+ f->hdr.block_size, f->hdr.size);
+ goto out;
+ }
+
FL_DBG("FFS: Partition map size: 0x%x\n", f->cached_size);
/* Allocate cache */
--
2.9.0
More information about the Skiboot
mailing list