cbfs: Prevent overflow and infinite loop in cbfs_walk

CBFS file with lenth of (UINT32_MAX - cbfs_file.offset + 1) causes overflow, making cbfs_walk() being stuck in an infinite loop, and checking the same file. This patch makes cbfs_walk() skip file headers with incorrect data_offset or data_length. Signed-off-by: Jakub Czapiga <jacz@semihalf.com> Change-Id: I70020e347087cbd8134a1a60177fa9eef63fb7bd Reviewed-on: https://review.coreboot.org/c/coreboot/+/57525 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
author: Jakub Czapiga <jacz@semihalf.com> 2021-09-09 09:20:37 +0200
committer: Julius Werner <jwerner@chromium.org> 2021-09-13 20:06:00 +0000
commit: 8edbba4cc48ea42978cd95de015170288b86c3c3 (patch)
tree: ff10858b5e631148380e5c783bdb37d04764b8f8 /src
parent: 615cdfcdb9bf826d4815f0d7e7d9961da5bf33d0 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/commonlib/bsd/cbfs_private.c b/src/commonlib/bsd/cbfs_private.c
index 1642cca26a..94a29ac929 100644
--- a/src/commonlib/bsd/cbfs_private.c
+++ b/src/commonlib/bsd/cbfs_private.c
@@ -54,7 +54,8 @@ cb_err_t cbfs_walk(cbfs_dev_t dev, cb_err_t (*walker)(cbfs_dev_t dev, size_t off
 		if (data_offset > sizeof(mdata) || data_length > devsize ||
 		    offset + data_offset + data_length > devsize) {
 			ERROR("File @%#zx too large\n", offset);
-			goto next_file;
+			offset += CBFS_ALIGNMENT;
+			continue;
 		}
 
 		if (empty && !(flags & CBFS_WALK_INCLUDE_EMPTY))
author	Jakub Czapiga <jacz@semihalf.com>	2021-09-09 09:20:37 +0200
committer	Julius Werner <jwerner@chromium.org>	2021-09-13 20:06:00 +0000
commit	8edbba4cc48ea42978cd95de015170288b86c3c3 (patch)
tree	ff10858b5e631148380e5c783bdb37d04764b8f8 /src
parent	615cdfcdb9bf826d4815f0d7e7d9961da5bf33d0 (diff)