Re: [PATCH] env: Crash in 'env import' when using checksum and a specific size

[Tom Rini]

On Mon, Aug 31, 2020 at 11:01:41AM +0200, Pedro Aguilar wrote:

> This patch adds a sanity check that avoids 'size' to overflow and crash when
> importing an environment that contains a checksum. Example with the wrong size
> that causes the crash:
> 
> => env import -c 0x410 3 v1
> 
> This assumes that v1 has already been successfully exported with
> 'env export -c -s 0x100 0x410 v1'
> 
> Signed-off-by: Pedro Aguilar 

Applied to u-boot/master, thanks!

-- 
Tom


signature.asc
Description: PGP signature

[PATCH] env: Crash in 'env import' when using checksum and a specific size

[Pedro Aguilar]

This patch adds a sanity check that avoids 'size' to overflow and crash when
importing an environment that contains a checksum. Example with the wrong size
that causes the crash:

=> env import -c 0x410 3 v1

This assumes that v1 has already been successfully exported with
'env export -c -s 0x100 0x410 v1'

Signed-off-by: Pedro Aguilar 
---
 cmd/nvedit.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/cmd/nvedit.c b/cmd/nvedit.c
index d188c6aa6b..9f145dd284 100644
--- a/cmd/nvedit.c
+++ b/cmd/nvedit.c
@@ -1171,6 +1171,11 @@ static int do_env_import(struct cmd_tbl *cmdtp, int flag,
uint32_t crc;
env_t *ep = (env_t *)ptr;
 
+   if (size <= offsetof(env_t, data)) {
+   printf("## Error: Invalid size 0x%zX\n", size);
+   return 1;
+   }
+
size -= offsetof(env_t, data);
memcpy(&crc, &ep->crc, sizeof(crc));
 
-- 
2.25.1