diff options
| author | Jeremy Compostella <jeremy.compostella@intel.com> | 2022-09-08 13:47:35 -0700 |
|---|---|---|
| committer | Felix Held <felix-coreboot@felixheld.de> | 2022-09-12 12:33:36 +0000 |
| commit | 46ffccd753f5a350265b8650a83ba51972a5a0cf (patch) | |
| tree | 16522a2b4804ba94eeaddd9043672101ddcab4ff /util/cbfstool | |
| parent | f4a8a92cc2fb79db4fd0dcdeee422d1024f2abe2 (diff) | |
util/ifittool: Fix buffer overflow with padded microcode patches
Some microcode patches are padded with zeros, which make
parse_microcode_blob() read beyond the end of the buffer.
BRANCH=firmware-brya-14505.B
BUG=b:245380705
TEST=No segmentation fault with a padded microcode patch
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Change-Id: Id9c5fb6c1e264f3f5137d29201b9021c72d78fdd
Reviewed-on: https://review.coreboot.org/c/coreboot/+/67460
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Cliff Huang <cliff.huang@intel.com>
Reviewed-by: Nick Vaccaro <nvaccaro@google.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Diffstat (limited to 'util/cbfstool')
| -rw-r--r-- | util/cbfstool/fit.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/util/cbfstool/fit.c b/util/cbfstool/fit.c index 89b0fd28d9..7f8218a745 100644 --- a/util/cbfstool/fit.c +++ b/util/cbfstool/fit.c @@ -297,7 +297,8 @@ parse_microcode_blob(struct cbfs_image *image, uint32_t total_size = mcu_header->total_size ?: 2048; /* Quickly sanity check a prospective microcode update. */ - if (total_size < sizeof(*mcu_header)) + if (total_size < sizeof(*mcu_header) || + total_size > file_length) break; /* FIXME: Should the checksum be validated? */ |