Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / 561d2eaab3ced2cbacf273668b52262489ae92d0^2..561d2eaab3ced2cbacf273668b52262489ae92d0 / .
commit561d2eaab3ced2cbacf273668b52262489ae92d0[log] [tgz]
authorLinux Build Service Account <lnxbuild@quicinc.com>Tue Jul 04 12:21:53 2017 -0700
committerGerrit - the friendly Code Review server <code-review@localhost>Tue Jul 04 12:21:53 2017 -0700
tree1d1ee3d76136912b2ced7f391a9dc1b4c6f49cf6
parent09a0cfdeb7bb3e17f4c82a863bc3318ec01db8df [diff]
parentb46ae5f7b8361f1907538223bef747cb8b44cb5c [diff]
Merge "target: msm8953: fix the scratch region size"
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index ef8ff88..c873882 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c

@@ -3482,7 +3482,8 @@
 	}
 
 	dprintf(INFO, "writing %d bytes to '%s'\n", sz, ptn->name);
-	if ((sz > UBI_MAGIC_SIZE) && (!memcmp((void *)data, UBI_MAGIC, UBI_MAGIC_SIZE))) {
+	if ((sz > UBI_EC_HDR_SIZE) &&
+		(!memcmp((void *)data, UBI_MAGIC, UBI_MAGIC_SIZE))) {
 		if (flash_ubi_img(ptn, data, sz)) {
 			fastboot_fail("flash write failure");
 			return;

diff --git a/app/aboot/recovery.c b/app/aboot/recovery.c
index 71006bd..49f5057 100644
--- a/app/aboot/recovery.c
+++ b/app/aboot/recovery.c

@@ -134,10 +134,8 @@
 {
 	struct ptentry *ptn;
 	struct ptable *ptable;
-	unsigned int ssd_cookie[2] = {0x53534443, 0x4F4F4B49};
+	unsigned int *ssd_cookie;
 	unsigned pagesize = flash_page_size();
-	unsigned pagemask = pagesize -1;
-	unsigned n = 0;
 
 	ptable = flash_get_ptable();
 	if (ptable == NULL) {
@@ -145,21 +143,32 @@
 		return -1;
 	}
 
-	n = (sizeof(ssd_cookie) + pagemask) & (~pagemask);
+	ssd_cookie = malloc(pagesize);
+	if (!ssd_cookie){
+		dprintf(CRITICAL, "ERROR: Memory allocation failure\n");
+		return -1;
+	}
+	memset(ssd_cookie, 0, pagesize);
+	ssd_cookie[0] = 0x53534443;
+	ssd_cookie[1] = 0x4F4F4B49;
 
 	ptn = ptable_find(ptable, name);
 	if (ptn == NULL) {
 		dprintf(CRITICAL, "ERROR: No %s partition found\n", name);
-		return -1;
+		goto out;
 	}
 
-	if (flash_write(ptn, 0, ssd_cookie, n)) {
+	if (flash_write(ptn, 0, ssd_cookie, pagesize)) {
 		dprintf(CRITICAL, "ERROR: flash write fail!\n");
-		return -1;
+		goto out;
 	}
 
+	free(ssd_cookie);
 	dprintf(INFO, "FOTA partition written successfully!");
 	return 0;
+out:
+	free(ssd_cookie);
+	return -1;
 }
 
 int get_boot_info_apps (char type, unsigned int *status)
@@ -302,23 +311,39 @@
 {
 	char *ptn_name = "misc";
 	unsigned long long ptn = 0;
-	unsigned int size = ROUND_TO_PAGE(sizeof(*out),511);
-	unsigned char data[size];
+	unsigned blocksize = mmc_get_device_blocksize();
+	unsigned int size = ROUND_TO_PAGE(sizeof(*out), (unsigned)blocksize - 1);
+	unsigned char *data = NULL;
+	int ret = 0;
 	int index = INVALID_PTN;
 
+	data = malloc(size);
+	if(!data)
+	{
+		dprintf(CRITICAL,"memory allocation error \n");
+		ret = -1;
+		goto out;
+	}
+
 	index = partition_get_index((const char *) ptn_name);
 	ptn = partition_get_offset(index);
 	mmc_set_lun(partition_get_lun(index));
 	if(ptn == 0) {
 		dprintf(CRITICAL,"partition %s doesn't exist\n",ptn_name);
-		return -1;
+		ret = -1;
+		goto out;
 	}
+	memset(data, 0, size);
 	memcpy(data, out, sizeof(*out));
 	if (mmc_write(ptn , size, (unsigned int*)data)) {
 		dprintf(CRITICAL,"mmc write failure %s %d\n",ptn_name, sizeof(*out));
-		return -1;
+		ret = -1;
+		goto out;
 	}
-	return 0;
+out:
+	if (data)
+		free(data);
+	return ret;
 }
 
 static int emmc_get_recovery_msg(struct recovery_message *in)

diff --git a/lib/zlib_inflate/inflate.c b/lib/zlib_inflate/inflate.c
index e341300..95690e0 100644
--- a/lib/zlib_inflate/inflate.c
+++ b/lib/zlib_inflate/inflate.c

@@ -1506,7 +1506,7 @@
 {
     struct inflate_state FAR *state;
 
-    if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
+    if (strm == Z_NULL || strm->state == Z_NULL) return -(1L<<16);
     state = (struct inflate_state FAR *)strm->state;
     return ((long)(state->back) << 16) +
         (state->mode == COPY ? state->length :

diff --git a/platform/msm_shared/flash-ubi.c b/platform/msm_shared/flash-ubi.c
index 010f61e..ca46876 100644
--- a/platform/msm_shared/flash-ubi.c
+++ b/platform/msm_shared/flash-ubi.c

@@ -818,6 +818,7 @@
 	int bad_blocks_cnt = 0;
 	uint32_t fmsb_peb = UINT_MAX;
 	int is_fmsb_peb_valid = 0;
+	unsigned peb_valid_sz= 0;
 
 	si = scan_partition(ptn);
 	if (!si) {
@@ -845,14 +846,30 @@
 			curr_peb++;
 			continue;
 		}
-		remove_F_flag(img_peb);
-		/* Update the ec_header in the image */
-		old_ech = (struct ubi_ec_hdr *)img_peb;
-		update_ec_header(old_ech, si, curr_peb - ptn->start, false);
+
 		if (size < block_size)
 			num_pages = size / page_size;
 		else
 			num_pages = calc_data_len(page_size, img_peb, block_size);
+
+		/* Total size of valid data in peb */
+		peb_valid_sz = num_pages * page_size;
+
+		/*
+		* Check for oob access if any in img_peb.
+		*/
+		if (memcmp(img_peb, UBI_MAGIC, UBI_MAGIC_SIZE) ||
+			BE32(((struct ubi_ec_hdr *)img_peb)->vid_hdr_offset) > peb_valid_sz ||
+			BE32(((struct ubi_ec_hdr *)img_peb)->data_offset) > peb_valid_sz)
+		{
+			dprintf(CRITICAL, "flash_ubi_img: invalid image peb found\n");
+			return -1;
+		}
+
+		remove_F_flag(img_peb);
+		/* Update the ec_header in the image */
+		old_ech = (struct ubi_ec_hdr *)img_peb;
+		update_ec_header(old_ech, si, curr_peb - ptn->start, false);
 		/* Write one block from image */
 		ret = qpic_nand_write(curr_peb * num_pages_per_blk,
 				num_pages, img_peb, 0);