Merge "app: aboot: Prevent out of bounds read in boot image header"
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 9ecbea3..6407333 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -1264,6 +1264,7 @@
kernel_actual = ROUND_TO_PAGE(hdr->kernel_size, page_mask);
ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
+ second_actual = ROUND_TO_PAGE(hdr->second_size, page_mask);
image_addr = (unsigned char *)target_get_scratch_address();
memcpy(image_addr, (void *)buf, page_size);
@@ -1276,17 +1277,17 @@
dt_size = hdr->dt_size;
#endif
dt_actual = ROUND_TO_PAGE(dt_size, page_mask);
- if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual+ (uint64_t)dt_actual + page_size)) {
+ if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual+ (uint64_t)second_actual + (uint64_t)dt_actual + page_size)) {
dprintf(CRITICAL, "Integer overflow detected in bootimage header fields at %u in %s\n",__LINE__,__FILE__);
return -1;
}
- imagesize_actual = (page_size + kernel_actual + ramdisk_actual + dt_actual);
+ imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual + dt_actual);
#else
- if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual + page_size)) {
+ if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual + (uint64_t)second_actual + page_size)) {
dprintf(CRITICAL, "Integer overflow detected in bootimage header fields at %u in %s\n",__LINE__,__FILE__);
return -1;
}
- imagesize_actual = (page_size + kernel_actual + ramdisk_actual);
+ imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual);
#endif
#if VERIFIED_BOOT
@@ -1707,11 +1708,11 @@
}
#ifndef DEVICE_TREE
- if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual+ page_size)) {
+ if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual+ (uint64_t)second_actual + page_size)) {
dprintf(CRITICAL, "Integer overflow detected in bootimage header fields\n");
return -1;
}
- imagesize_actual = (page_size + kernel_actual + ramdisk_actual);
+ imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual);
if (check_aboot_addr_range_overlap(hdr->tags_addr, MAX_TAGS_SIZE))
{
@@ -1724,12 +1725,12 @@
dt_size = hdr->dt_size;
#endif
dt_actual = ROUND_TO_PAGE(dt_size, page_mask);
- if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual+ (uint64_t)dt_actual + page_size)) {
+ if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual+ (uint64_t)second_actual + (uint64_t)dt_actual + page_size)) {
dprintf(CRITICAL, "Integer overflow detected in bootimage header fields\n");
return -1;
}
- imagesize_actual = (page_size + kernel_actual + ramdisk_actual + dt_actual);
+ imagesize_actual = (page_size + kernel_actual + ramdisk_actual + second_actual + dt_actual);
if (check_aboot_addr_range_overlap(hdr->tags_addr, dt_size))
{
@@ -2478,6 +2479,7 @@
#endif /* MDTP_SUPPORT */
unsigned kernel_actual;
unsigned ramdisk_actual;
+ unsigned second_actual;
uint32_t image_actual;
uint32_t dt_actual = 0;
uint32_t sig_actual = 0;
@@ -2525,6 +2527,7 @@
kernel_actual = ROUND_TO_PAGE(hdr->kernel_size, page_mask);
ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
+ second_actual = ROUND_TO_PAGE(hdr->second_size, page_mask);
#if DEVICE_TREE
#ifndef OSVERSION_IN_BOOTIMAGE
dt_size = hdr->dt_size;
@@ -2534,6 +2537,7 @@
image_actual = ADD_OF(page_size, kernel_actual);
image_actual = ADD_OF(image_actual, ramdisk_actual);
+ image_actual = ADD_OF(image_actual, second_actual);
image_actual = ADD_OF(image_actual, dt_actual);
/* Checking to prevent oob access in read_der_message_length */