Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / 21a374568657aca4650eebc8ce8dde21c9e94270^! / .
commit21a374568657aca4650eebc8ce8dde21c9e94270[log] [tgz]
authorvijay kumar <vpendo@codeaurora.org>Tue Dec 29 16:23:21 2015 +0530
committerGerrit - the friendly Code Review server <code-review@localhost>Thu May 12 01:45:28 2016 -0700
treeb5e7b533017ec605e4e0b0e5d7a0b52459313343
parentdf235e56b745c5dcfcbbbd2133030ba87fd068df [diff]
app: aboot: add check on size of atags

Added check on tags size while updating the atags,
it can cross the max size allowed and overwrite
kernel region.

Change-Id: Id4750f7cd5daa3d5f0d93950bb1a24016adfd9b7

diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 892ec72..6ac4a14 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c

@@ -708,7 +708,7 @@
 void generate_atags(unsigned *ptr, const char *cmdline,
                     void *ramdisk, unsigned ramdisk_size)
 {
-
+	unsigned *orig_ptr = ptr;
 	ptr = atag_core(ptr);
 	ptr = atag_ramdisk(ptr, ramdisk, ramdisk_size);
 	ptr = target_atag_mem(ptr);
@@ -718,8 +718,18 @@
 		ptr = atag_ptable(&ptr);
 	}
 
-	ptr = atag_cmdline(ptr, cmdline);
-	ptr = atag_end(ptr);
+	/*
+	 * Atags size filled till + cmdline size + 1 unsigned for 4-byte boundary + 4 unsigned
+	 * for atag identifier in atag_cmdline and atag_end should be with in MAX_TAGS_SIZE bytes
+	 */
+	if (((ptr - orig_ptr) + strlen(cmdline) + 5 * sizeof(unsigned)) <  MAX_TAGS_SIZE) {
+		ptr = atag_cmdline(ptr, cmdline);
+		ptr = atag_end(ptr);
+	}
+	else {
+		dprintf(CRITICAL,"Crossing ATAGs Max size allowed\n");
+		ASSERT(0);
+	}
 }
 
 typedef void entry_func_ptr(unsigned, unsigned, unsigned*);