Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / ce737c8f5711460bcbc2e2b995699ffe51a827ea^! / . / app / aboot / aboot.c
commitce737c8f5711460bcbc2e2b995699ffe51a827ea[log] [tgz]
authorChannagoud Kadabi <ckadabi@codeaurora.org>Wed Jun 18 17:41:01 2014 -0700
committerChannagoud Kadabi <ckadabi@codeaurora.org>Tue Jun 24 17:20:00 2014 -0700
treefe3a40f650b4755c3d0743d53a3bf8a8561b9986
parentd9ffa637861b9989eea42a2782b4dbc51b5ef556 [diff] [blame]
app: aboot: Verify boot image signature

Verify boot image signature as part of fastboot boot
command and fix buffer over read issues by sanitize
the kernel, ramdisk, page size read from boot image
header.

CRs-Fixed: 681957 682002
Change-Id: I546502c7a9479c8a41453e32c6cb14bc850709fe

diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 0b6baf7..4a3011e 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c

@@ -35,6 +35,7 @@
 #include <arch/arm.h>
 #include <string.h>
 #include <stdlib.h>
+#include <limits.h>
 #include <kernel/thread.h>
 #include <arch/ops.h>
 
@@ -96,6 +97,8 @@
 #define DEFAULT_ERASE_SIZE  4096
 #define MAX_PANEL_BUF_SIZE 128
 
+#define ADD_OF(a, b) (UINT_MAX - b > a) ? (a + b) : UINT_MAX
+
 static const char *emmc_cmdline = " androidboot.emmc=true";
 static const char *usb_sn_cmdline = " androidboot.serialno=";
 static const char *androidboot_mode = " androidboot.mode=";
@@ -1473,6 +1476,8 @@
 {
 	unsigned kernel_actual;
 	unsigned ramdisk_actual;
+	uint32_t image_actual;
+	uint32_t dt_actual = 0;
 	struct boot_img_hdr *hdr;
 	char *ptr = ((char*) data);
 	int ret = 0;
@@ -1495,6 +1500,25 @@
 
 	kernel_actual = ROUND_TO_PAGE(hdr->kernel_size, page_mask);
 	ramdisk_actual = ROUND_TO_PAGE(hdr->ramdisk_size, page_mask);
+#if DEVICE_TREE
+	dt_actual = ROUND_TO_PAGE(hdr->dt_size, page_mask);
+#endif
+
+	image_actual = ADD_OF(page_size, kernel_actual);
+	image_actual = ADD_OF(image_actual, ramdisk_actual);
+	image_actual = ADD_OF(image_actual, dt_actual);
+
+	/* sz should have atleast raw boot image */
+	if (image_actual > sz) {
+		fastboot_fail("incomplete bootimage");
+		return;
+	}
+
+	/* Verify the boot image
+	 * device & page_size are initialized in aboot_init
+	 */
+	if (target_use_signed_kernel() && (!device.is_unlocked))
+		verify_signed_bootimg((uint32_t)data, image_actual);
 
 	/*
 	 * Update the kernel/ramdisk/tags address if the boot image header
@@ -1516,12 +1540,6 @@
 		return;
 	}
 
-	/* sz should have atleast raw boot image */
-	if (page_size + kernel_actual + ramdisk_actual > sz) {
-		fastboot_fail("incomplete bootimage");
-		return;
-	}
-
 #if DEVICE_TREE
 	/* find correct dtb and copy it to right location */
 	ret = copy_dtb(data);