diff options
author | Yu-Ping Wu <yupingso@chromium.org> | 2024-11-06 16:15:08 +0800 |
---|---|---|
committer | Yu-Ping Wu <yupingso@google.com> | 2024-11-13 23:31:55 +0000 |
commit | e24b7c72cc7e2c7b1475a7625052918961e7dc77 (patch) | |
tree | 91b139aab147eff8af0f5d97b1beb973fc089e76 | |
parent | 7980b6ed47e35bba343705606bf5131df470ae18 (diff) |
util/ifdtool: Fix invalid pointer dereference
When calculating the GPR0 protection range, currently the offsets of
"CSE data partition offset" and FPT are not checked. Invalid pointer
dereference may lead to segmentation fault.
Ensure the offset is within the image size before accessing the pointer.
Change-Id: Ic9557d8fc8ae9e4c12114ee170bfc90d5e149df9
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/85016
Reviewed-by: Subrata Banik <subratabanik@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Alexander Goncharov <chat@joursoir.net>
-rw-r--r-- | util/ifdtool/ifdtool.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/util/ifdtool/ifdtool.c b/util/ifdtool/ifdtool.c index 36477eef66..ace05e2265 100644 --- a/util/ifdtool/ifdtool.c +++ b/util/ifdtool/ifdtool.c @@ -1756,9 +1756,23 @@ static int calculate_gpr0_range(char *image, int size, fprintf(stderr, "Unsupported platform\n"); exit(EXIT_FAILURE); } - uint32_t data_part_offset = *((uint32_t *)(image + cse_region_start + cse_data_offset)); + const uint32_t *data_part_offset_ptr = (uint32_t *)(image + cse_region_start + + cse_data_offset); + if (!PTR_IN_RANGE(data_part_offset_ptr, image, size)) { + fprintf(stderr, "Data part offset %d exceeds image size %d\n", + cse_region_start + cse_data_offset, size); + return -1; + } + uint32_t data_part_offset = *data_part_offset_ptr; + /* Start reading the CSE Data Partition Table, also known as FPT */ uint32_t data_part_start = data_part_offset + cse_region_start; + struct cse_fpt *fpt = (struct cse_fpt *)(image + data_part_start); + if (!PTR_IN_RANGE(fpt, image, size)) { + fprintf(stderr, "FPT offset %d exceeds image size %d\n", + data_part_start, size); + return -1; + } uint32_t fitc_region_start = 0; size_t fitc_region_size = 0; @@ -1766,8 +1780,7 @@ static int calculate_gpr0_range(char *image, int size, * FPT holds entry for own FPT data structure also bunch of sub-partitions. * `FITC` is one of such sub-partition entry. */ - if (parse_fitc_table(((struct cse_fpt *)(image + data_part_start)), - &fitc_region_start, &fitc_region_size) < 0) { + if (parse_fitc_table(fpt, &fitc_region_start, &fitc_region_size) < 0) { fprintf(stderr, "Unable to find FITC entry\n"); return -1; } |