summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYu-Ping Wu <yupingso@chromium.org>2024-11-06 16:15:08 +0800
committerYu-Ping Wu <yupingso@google.com>2024-11-13 23:31:55 +0000
commite24b7c72cc7e2c7b1475a7625052918961e7dc77 (patch)
tree91b139aab147eff8af0f5d97b1beb973fc089e76
parent7980b6ed47e35bba343705606bf5131df470ae18 (diff)
util/ifdtool: Fix invalid pointer dereference
When calculating the GPR0 protection range, currently the offsets of "CSE data partition offset" and FPT are not checked. Invalid pointer dereference may lead to segmentation fault. Ensure the offset is within the image size before accessing the pointer. Change-Id: Ic9557d8fc8ae9e4c12114ee170bfc90d5e149df9 Signed-off-by: Yu-Ping Wu <yupingso@chromium.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/85016 Reviewed-by: Subrata Banik <subratabanik@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Alexander Goncharov <chat@joursoir.net>
-rw-r--r--util/ifdtool/ifdtool.c19
1 files changed, 16 insertions, 3 deletions
diff --git a/util/ifdtool/ifdtool.c b/util/ifdtool/ifdtool.c
index 36477eef66..ace05e2265 100644
--- a/util/ifdtool/ifdtool.c
+++ b/util/ifdtool/ifdtool.c
@@ -1756,9 +1756,23 @@ static int calculate_gpr0_range(char *image, int size,
fprintf(stderr, "Unsupported platform\n");
exit(EXIT_FAILURE);
}
- uint32_t data_part_offset = *((uint32_t *)(image + cse_region_start + cse_data_offset));
+ const uint32_t *data_part_offset_ptr = (uint32_t *)(image + cse_region_start +
+ cse_data_offset);
+ if (!PTR_IN_RANGE(data_part_offset_ptr, image, size)) {
+ fprintf(stderr, "Data part offset %d exceeds image size %d\n",
+ cse_region_start + cse_data_offset, size);
+ return -1;
+ }
+ uint32_t data_part_offset = *data_part_offset_ptr;
+
/* Start reading the CSE Data Partition Table, also known as FPT */
uint32_t data_part_start = data_part_offset + cse_region_start;
+ struct cse_fpt *fpt = (struct cse_fpt *)(image + data_part_start);
+ if (!PTR_IN_RANGE(fpt, image, size)) {
+ fprintf(stderr, "FPT offset %d exceeds image size %d\n",
+ data_part_start, size);
+ return -1;
+ }
uint32_t fitc_region_start = 0;
size_t fitc_region_size = 0;
@@ -1766,8 +1780,7 @@ static int calculate_gpr0_range(char *image, int size,
* FPT holds entry for own FPT data structure also bunch of sub-partitions.
* `FITC` is one of such sub-partition entry.
*/
- if (parse_fitc_table(((struct cse_fpt *)(image + data_part_start)),
- &fitc_region_start, &fitc_region_size) < 0) {
+ if (parse_fitc_table(fpt, &fitc_region_start, &fitc_region_size) < 0) {
fprintf(stderr, "Unable to find FITC entry\n");
return -1;
}