summaryrefslogtreecommitdiff
path: root/payloads/libpayload
diff options
context:
space:
mode:
authorYou-Cheng Syu <youcheng@google.com>2019-02-27 15:29:15 +0800
committerPatrick Georgi <pgeorgi@google.com>2019-02-28 13:56:26 +0000
commit5ec1d24974de8280a615047804bdfa73720777c8 (patch)
treead5dca182b1ffa2702a40357d6769509d5c8927b /payloads/libpayload
parent08087a3e8af00e423fe8df02ac658fb6a1f31f45 (diff)
libpayload: cbfs: Require input size and output size for cbfs_decompress
Currently, cbfs_decompress() calls ulzma() and ulz4f() for LZMA/LZ4 decompression. These two functions don't accept input/output size as parameters. We can make cbfs_decompress more robust by calling ulzman() and ulz4fn() instead. This could prevent us from overflowing destination buffer. BUG=none BRANCH=none TEST=boot into kernel on Kukui with COMPRESSED_PAYLOAD_LZMA / COMPRESSED_PAYLOAD_LZ4. Change-Id: Ibe617825bd000ed618791d8e3c5f65bbbd5f7e33 Signed-off-by: You-Cheng Syu <youcheng@google.com> Reviewed-on: https://review.coreboot.org/c/31606 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Diffstat (limited to 'payloads/libpayload')
-rw-r--r--payloads/libpayload/include/cbfs_core.h5
-rw-r--r--payloads/libpayload/libcbfs/cbfs.c3
-rw-r--r--payloads/libpayload/libcbfs/cbfs_core.c19
3 files changed, 17 insertions, 10 deletions
diff --git a/payloads/libpayload/include/cbfs_core.h b/payloads/libpayload/include/cbfs_core.h
index 364f6c474d..a707154648 100644
--- a/payloads/libpayload/include/cbfs_core.h
+++ b/payloads/libpayload/include/cbfs_core.h
@@ -253,8 +253,9 @@ struct cbfs_media {
void *cbfs_get_file_content(struct cbfs_media *media, const char *name,
int type, size_t *sz);
-/* returns decompressed size on success, 0 on failure */
-int cbfs_decompress(int algo, void *src, void *dst, int len);
+/* Returns decompressed size on success, 0 on failure. */
+size_t cbfs_decompress(int algo, const void *src, size_t srcn, void *dst,
+ size_t dstn);
/* returns a pointer to CBFS master header, or CBFS_HEADER_INVALID_ADDRESS
* on failure */
diff --git a/payloads/libpayload/libcbfs/cbfs.c b/payloads/libpayload/libcbfs/cbfs.c
index 577fb2075a..d679e6708a 100644
--- a/payloads/libpayload/libcbfs/cbfs.c
+++ b/payloads/libpayload/libcbfs/cbfs.c
@@ -114,8 +114,9 @@ void * cbfs_load_stage(struct cbfs_media *media, const char *name)
final_size = cbfs_decompress(stage->compression,
((unsigned char *) stage) +
sizeof(struct cbfs_stage),
+ stage->len,
(void *) (uintptr_t) stage->load,
- stage->len);
+ stage->memlen);
if (!final_size) {
entry = -1;
goto out;
diff --git a/payloads/libpayload/libcbfs/cbfs_core.c b/payloads/libpayload/libcbfs/cbfs_core.c
index 91f2603446..4ecda30395 100644
--- a/payloads/libpayload/libcbfs/cbfs_core.c
+++ b/payloads/libpayload/libcbfs/cbfs_core.c
@@ -48,6 +48,7 @@
*
*/
+#include <libpayload.h>
#include <cbfs.h>
#include <string.h>
#include <sysinfo.h>
@@ -256,7 +257,8 @@ void *cbfs_get_contents(struct cbfs_handle *handle, size_t *size, size_t limit)
return NULL;
ret = malloc(*size);
- if (ret != NULL && !cbfs_decompress(algo, data, ret, *size)) {
+ if (ret != NULL &&
+ !cbfs_decompress(algo, data, on_media_size, ret, *size)) {
free(ret);
ret = NULL;
}
@@ -321,24 +323,27 @@ void *cbfs_get_attr(struct cbfs_handle *handle, uint32_t tag)
return NULL;
}
-int cbfs_decompress(int algo, void *src, void *dst, int len)
+size_t cbfs_decompress(int algo, const void *src, size_t srcn, void *dst,
+ size_t dstn)
{
+ size_t len;
switch (algo) {
case CBFS_COMPRESS_NONE:
+ len = MIN(srcn, dstn);
memcpy(dst, src, len);
return len;
#ifdef CBFS_CORE_WITH_LZMA
case CBFS_COMPRESS_LZMA:
- return ulzma(src, dst);
+ return ulzman(src, srcn, dst, dstn);
#endif
#ifdef CBFS_CORE_WITH_LZ4
case CBFS_COMPRESS_LZ4:
- return ulz4f(src, dst);
+ return ulz4fn(src, srcn, dst, dstn);
#endif
default:
- ERROR("tried to decompress %d bytes with algorithm #%x,"
- "but that algorithm id is unsupported.\n", len,
- algo);
+ ERROR("tried to decompress %zu bytes with algorithm "
+ "#%x, but that algorithm id is unsupported.\n",
+ srcn, algo);
return 0;
}
}