diff options
author | Pierre-Clément Tosi <ptosi@google.com> | 2022-04-22 10:01:43 +0100 |
---|---|---|
committer | Pierre-Clément Tosi <ptosi@google.com> | 2022-04-22 17:45:56 +0100 |
commit | 42ea76e410513cc47c1bb3e939df82b7ef30a8b4 (patch) | |
tree | cd900a5fa8d6887064765829a253262470dcab23 | |
parent | 240b1249073c572ed8d2aedfdcbbf49aa10ac813 (diff) | |
download | u-boot-42ea76e410513cc47c1bb3e939df82b7ef30a8b4.tar.gz |
ANDROID: pvmfw: Prevent OOB through underflow
Verify that the size of the AVB-signed image (received from the VMM
through the registers at boot) is large enough to contain the necessary
AVB footer, which has to be accessed to locate the VBMeta image and
obtain the actual size of the image that was signed.
This removes a potential OOB access in alloc_avb_ops() when:
const void *avb_footer = image + size - AVB_FOOTER_SIZE;
if size < AVB_FOOTER_SIZE.
Bug: 229963796
Change-Id: I238f30c6921ee49db1b0d36487c77c34b2f6bb0d
-rw-r--r-- | board/android/pvmfw-arm64/boot.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/board/android/pvmfw-arm64/boot.c b/board/android/pvmfw-arm64/boot.c index 0febd72f18..6fdb124460 100644 --- a/board/android/pvmfw-arm64/boot.c +++ b/board/android/pvmfw-arm64/boot.c @@ -156,7 +156,8 @@ static struct AvbOps *alloc_avb_ops(void *image, size_t size) if (!ops) return NULL; - if (!avb_footer_validate_and_byteswap(avb_footer, &footer) || + if (size < AVB_FOOTER_SIZE || + !avb_footer_validate_and_byteswap(avb_footer, &footer) || !is_valid_ram_region(image, footer.original_image_size) || !is_valid_ram_region(image + footer.vbmeta_offset, VBMETA_MAX_SIZE)) goto free_ops; |