Re: [U-Boot] Prevent null pointer dereference originating in cmd_pxe.c
On Mon, Oct 07, 2013 at 09:51:48AM -0400, Steven Falco wrote: Pass a valid cmdtp into do_tftpb(), do_ext2load(), and do_get_fat(), to avoid possible crashes due to null pointer dereferencing. Signed-off-by: Steven A. Falco stevenfa...@gmail.com --- This doesn't apply cleanly, nor with --ignore-whitespace for me. Can you please re-check and re-send the patch? Thanks. Sorry - I've been having trouble getting Thunderbird to leave my text alone. There was some insane flowed text setting that I just discovered and disabled. I think I've got it right now. I'll download this email from the list after I post it, and do a diff to be sure. Commit d7884e047d08447dfd1374e9fa2fdf7ab36e56f5 does not go far enough. There is still at least one call chain that can result in a crash. The do_tftpb(), do_ext2load(), and do_get_fat() functions expect a valid cmdtp. Passing in NULL is particularly bad in the do_tftpb() case, because eventually boot_get_kernel() will be called with a NULL cmdtp: do_tftpb() - netboot_common() - bootm_maybe_autostart() - do_bootm() - do_bootm_states() - bootm_find_os() - boot_get_kernel() Around line 991 in cmd_bootm.c, boot_get_kernel() will dereference the null pointer, and the board will crash. With a reworded commit message to include more details, applied to u-boot/master, thanks! -- Tom signature.asc Description: Digital signature ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] Prevent null pointer dereference originating in cmd_pxe.c
On Wed, Sep 25, 2013 at 09:35:30PM -0400, Steven Falco wrote: Pass a valid cmdtp into do_tftpb(), do_ext2load(), and do_get_fat(), to avoid possible crashes due to null pointer dereferencing. Signed-off-by: Steven A. Falco stevenfalco at gmail.com This doesn't apply cleanly, nor with --ignore-whitespace for me. Can you please re-check and re-send the patch? Thanks. -- Tom signature.asc Description: Digital signature ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
Re: [U-Boot] Prevent null pointer dereference originating in cmd_pxe.c
Pass a valid cmdtp into do_tftpb(), do_ext2load(), and do_get_fat(), to avoid possible crashes due to null pointer dereferencing. Signed-off-by: Steven A. Falco stevenfa...@gmail.com --- This doesn't apply cleanly, nor with --ignore-whitespace for me. Can you please re-check and re-send the patch? Thanks. Sorry - I've been having trouble getting Thunderbird to leave my text alone. There was some insane flowed text setting that I just discovered and disabled. I think I've got it right now. I'll download this email from the list after I post it, and do a diff to be sure. Commit d7884e047d08447dfd1374e9fa2fdf7ab36e56f5 does not go far enough. There is still at least one call chain that can result in a crash. The do_tftpb(), do_ext2load(), and do_get_fat() functions expect a valid cmdtp. Passing in NULL is particularly bad in the do_tftpb() case, because eventually boot_get_kernel() will be called with a NULL cmdtp: do_tftpb() - netboot_common() - bootm_maybe_autostart() - do_bootm() - do_bootm_states() - bootm_find_os() - boot_get_kernel() Around line 991 in cmd_bootm.c, boot_get_kernel() will dereference the null pointer, and the board will crash. diff --git a/common/cmd_pxe.c b/common/cmd_pxe.c index c5f4a22..79d3a06 100644 --- a/common/cmd_pxe.c +++ b/common/cmd_pxe.c @@ -114,16 +114,16 @@ static int get_bootfile_path(const char *file_path, char *bootfile_path, return 1; } -static int (*do_getfile)(const char *file_path, char *file_addr); +static int (*do_getfile)(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr); -static int do_get_tftp(const char *file_path, char *file_addr) +static int do_get_tftp(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr) { char *tftp_argv[] = {tftp, NULL, NULL, NULL}; tftp_argv[1] = file_addr; tftp_argv[2] = (void *)file_path; - if (do_tftpb(NULL, 0, 3, tftp_argv)) + if (do_tftpb(cmdtp, 0, 3, tftp_argv)) return -ENOENT; return 1; @@ -131,27 +131,27 @@ static int do_get_tftp(const char *file_path, char *file_addr) static char *fs_argv[5]; -static int do_get_ext2(const char *file_path, char *file_addr) +static int do_get_ext2(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr) { #ifdef CONFIG_CMD_EXT2 fs_argv[0] = ext2load; fs_argv[3] = file_addr; fs_argv[4] = (void *)file_path; - if (!do_ext2load(NULL, 0, 5, fs_argv)) + if (!do_ext2load(cmdtp, 0, 5, fs_argv)) return 1; #endif return -ENOENT; } -static int do_get_fat(const char *file_path, char *file_addr) +static int do_get_fat(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr) { #ifdef CONFIG_CMD_FAT fs_argv[0] = fatload; fs_argv[3] = file_addr; fs_argv[4] = (void *)file_path; - if (!do_fat_fsload(NULL, 0, 5, fs_argv)) + if (!do_fat_fsload(cmdtp, 0, 5, fs_argv)) return 1; #endif return -ENOENT; @@ -165,7 +165,7 @@ static int do_get_fat(const char *file_path, char *file_addr) * * Returns 1 for success, or 0 on error. */ -static int get_relfile(const char *file_path, void *file_addr) +static int get_relfile(cmd_tbl_t *cmdtp, const char *file_path, void *file_addr) { size_t path_len; char relfile[MAX_TFTP_PATH_LEN+1]; @@ -194,7 +194,7 @@ static int get_relfile(const char *file_path, void *file_addr) sprintf(addr_buf, %p, file_addr); - return do_getfile(relfile, addr_buf); + return do_getfile(cmdtp, relfile, addr_buf); } /* @@ -204,13 +204,13 @@ static int get_relfile(const char *file_path, void *file_addr) * * Returns 1 on success, or 0 for error. */ -static int get_pxe_file(const char *file_path, void *file_addr) +static int get_pxe_file(cmd_tbl_t *cmdtp, const char *file_path, void *file_addr) { unsigned long config_file_size; char *tftp_filesize; int err; - err = get_relfile(file_path, file_addr); + err = get_relfile(cmdtp, file_path, file_addr); if (err 0) return err; @@ -241,7 +241,7 @@ static int get_pxe_file(const char *file_path, void *file_addr) * * Returns 1 on success or 0 on error. */ -static int get_pxelinux_path(const char *file, void *pxefile_addr_r) +static int get_pxelinux_path(cmd_tbl_t *cmdtp, const char *file, void *pxefile_addr_r) { size_t base_len = strlen(PXELINUX_DIR); char path[MAX_TFTP_PATH_LEN+1]; @@ -254,7 +254,7 @@ static int get_pxelinux_path(const char *file, void *pxefile_addr_r) sprintf(path, PXELINUX_DIR %s, file); - return get_pxe_file(path, pxefile_addr_r); + return get_pxe_file(cmdtp, path, pxefile_addr_r); } /* @@ -262,7 +262,7 @@ static int get_pxelinux_path(const char *file, void *pxefile_addr_r) * * Returns 1 on success or 0 on error. */ -static int pxe_uuid_path(void *pxefile_addr_r) +static int pxe_uuid_path(cmd_tbl_t *cmdtp, void
Re: [U-Boot] Prevent null pointer dereference originating in cmd_pxe.c
It's good to write commit message head for easy to track the fix from where. cmd_pxe: Prevent null pointer deference For more info, please look at here. http://www.denx.de/wiki/U-Boot/Patches On Mon, Oct 7, 2013 at 7:21 PM, Steven Falco stevenfa...@gmail.com wrote: Pass a valid cmdtp into do_tftpb(), do_ext2load(), and do_get_fat(), to avoid possible crashes due to null pointer dereferencing. Signed-off-by: Steven A. Falco stevenfa...@gmail.com --- This doesn't apply cleanly, nor with --ignore-whitespace for me. Can you please re-check and re-send the patch? Thanks. Sorry - I've been having trouble getting Thunderbird to leave my text alone. There was some insane flowed text setting that I just discovered and disabled. I think I've got it right now. I'll download this email from the list after I post it, and do a diff to be sure. Commit d7884e047d08447dfd1374e9fa2fdf7ab36e56f5 does not go far enough. There is still at least one call chain that can result in a crash. The do_tftpb(), do_ext2load(), and do_get_fat() functions expect a valid cmdtp. Passing in NULL is particularly bad in the do_tftpb() case, because eventually boot_get_kernel() will be called with a NULL cmdtp: do_tftpb() - netboot_common() - bootm_maybe_autostart() - do_bootm() - do_bootm_states() - bootm_find_os() - boot_get_kernel() Around line 991 in cmd_bootm.c, boot_get_kernel() will dereference the null pointer, and the board will crash. diff --git a/common/cmd_pxe.c b/common/cmd_pxe.c index c5f4a22..79d3a06 100644 --- a/common/cmd_pxe.c +++ b/common/cmd_pxe.c @@ -114,16 +114,16 @@ static int get_bootfile_path(const char *file_path, char *bootfile_path, return 1; } -static int (*do_getfile)(const char *file_path, char *file_addr); +static int (*do_getfile)(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr); -static int do_get_tftp(const char *file_path, char *file_addr) +static int do_get_tftp(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr) { char *tftp_argv[] = {tftp, NULL, NULL, NULL}; tftp_argv[1] = file_addr; tftp_argv[2] = (void *)file_path; - if (do_tftpb(NULL, 0, 3, tftp_argv)) + if (do_tftpb(cmdtp, 0, 3, tftp_argv)) return -ENOENT; return 1; @@ -131,27 +131,27 @@ static int do_get_tftp(const char *file_path, char *file_addr) static char *fs_argv[5]; -static int do_get_ext2(const char *file_path, char *file_addr) +static int do_get_ext2(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr) { #ifdef CONFIG_CMD_EXT2 fs_argv[0] = ext2load; fs_argv[3] = file_addr; fs_argv[4] = (void *)file_path; - if (!do_ext2load(NULL, 0, 5, fs_argv)) + if (!do_ext2load(cmdtp, 0, 5, fs_argv)) return 1; #endif return -ENOENT; } -static int do_get_fat(const char *file_path, char *file_addr) +static int do_get_fat(cmd_tbl_t *cmdtp, const char *file_path, char *file_addr) { #ifdef CONFIG_CMD_FAT fs_argv[0] = fatload; fs_argv[3] = file_addr; fs_argv[4] = (void *)file_path; - if (!do_fat_fsload(NULL, 0, 5, fs_argv)) + if (!do_fat_fsload(cmdtp, 0, 5, fs_argv)) return 1; #endif return -ENOENT; @@ -165,7 +165,7 @@ static int do_get_fat(const char *file_path, char *file_addr) * * Returns 1 for success, or 0 on error. */ -static int get_relfile(const char *file_path, void *file_addr) +static int get_relfile(cmd_tbl_t *cmdtp, const char *file_path, void *file_addr) { size_t path_len; char relfile[MAX_TFTP_PATH_LEN+1]; @@ -194,7 +194,7 @@ static int get_relfile(const char *file_path, void *file_addr) sprintf(addr_buf, %p, file_addr); - return do_getfile(relfile, addr_buf); + return do_getfile(cmdtp, relfile, addr_buf); } /* @@ -204,13 +204,13 @@ static int get_relfile(const char *file_path, void *file_addr) * * Returns 1 on success, or 0 for error. */ -static int get_pxe_file(const char *file_path, void *file_addr) +static int get_pxe_file(cmd_tbl_t *cmdtp, const char *file_path, void *file_addr) { unsigned long config_file_size; char *tftp_filesize; int err; - err = get_relfile(file_path, file_addr); + err = get_relfile(cmdtp, file_path, file_addr); if (err 0) return err; @@ -241,7 +241,7 @@ static int get_pxe_file(const char *file_path, void *file_addr) * * Returns 1 on success or 0 on error. */ -static int get_pxelinux_path(const char *file, void *pxefile_addr_r) +static int get_pxelinux_path(cmd_tbl_t *cmdtp, const char *file, void *pxefile_addr_r) { size_t base_len = strlen(PXELINUX_DIR); char path[MAX_TFTP_PATH_LEN+1]; @@ -254,7 +254,7 @@ static int get_pxelinux_path(const char *file, void *pxefile_addr_r) sprintf(path,
Re: [U-Boot] Prevent null pointer dereference originating in cmd_pxe.c
On Mon, Oct 7, 2013 at 10:51 AM, Steven Falco stevenfa...@gmail.com wrote: Sorry - I've been having trouble getting Thunderbird to leave my text alone. There was some insane flowed text setting that I just discovered and disabled. Better send patches via 'git send-email' as this can avoid these kind of email client issues. ___ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot