On Tue, Dec 23, 2025 at 05:44:56PM -0600, Chris Morgan wrote: > From: Chris Morgan <[email protected]> > > It looks like under certain circumstances when reading the vendor_boot > partition it causes my device to write outside the range of memory > available. Near as I can tell this occurs because > scan_vendor_boot_part() calls android_image_get_vendor_bootimg_size() > which calls android_vendor_boot_image_v3_v4_parse_hdr() which calls > add_trailer() which attempts to copy information to a buffer allocated > with malloc in the scan_vendor_boot_part() function. On my board the > memory set aside for malloc is at the top of the system RAM, and given > a large enough vendor boot image size this causes the write from > add_trailer() to occur outside of the system RAM (nevermind outside > of what was allocated with the malloc(). > > While I don't know the absolute best way to handle this, I would assume > that if we simply map the memory we want to use to where we will > eventually load the vendor_boot image that would be the most logical. > > Fixes: abadcda24b10 ("bootstd: android: don't read whole partition sizes") > Signed-off-by: Chris Morgan <[email protected]> > --- > boot/bootmeth_android.c | 20 ++++++-------------- > 1 file changed, 6 insertions(+), 14 deletions(-) > > diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c > index 1374551dbeb..c2c25d53ef3 100644 > --- a/boot/bootmeth_android.c > +++ b/boot/bootmeth_android.c > @@ -118,9 +118,10 @@ static int scan_vendor_boot_part(struct udevice *blk, > struct android_priv *priv) > struct blk_desc *desc = dev_get_uclass_plat(blk); > struct disk_partition partition; > char partname[PART_NAME_LEN]; > - ulong num_blks, bufsz; > + ulong num_blks; > char *buf; > int ret; > + ulong vloadaddr = env_get_hex("vendor_boot_comp_addr_r", 0); > > if (priv->slot) > sprintf(partname, VENDOR_BOOT_PART_NAME "_%s", priv->slot); > @@ -132,28 +133,19 @@ static int scan_vendor_boot_part(struct udevice *blk, > struct android_priv *priv) > return log_msg_ret("part info", ret); > > num_blks = DIV_ROUND_UP(sizeof(struct andr_vnd_boot_img_hdr), > desc->blksz); > - bufsz = num_blks * desc->blksz; > - buf = malloc(bufsz); > + buf = map_sysmem(vloadaddr, 0); > if (!buf) > return log_msg_ret("buf", -ENOMEM); > > ret = blk_read(blk, partition.start, num_blks, buf); > - if (ret != num_blks) { > - free(buf); > + if (ret != num_blks) > return log_msg_ret("part read", -EIO); > - } > > - if (!is_android_vendor_boot_image_header(buf)) { > - free(buf); > + if (!is_android_vendor_boot_image_header(buf)) > return log_msg_ret("header", -ENOENT); > - } > > - if (!android_image_get_vendor_bootimg_size(buf, > &priv->vendor_boot_img_size)) { > - free(buf); > + if (!android_image_get_vendor_bootimg_size(buf, > &priv->vendor_boot_img_size)) > return log_msg_ret("get vendor bootimg size", -EINVAL); > - } > - > - free(buf); > > return 0; > }
I haven't forgotten about this, but I'm hoping there's some other way to solve this, I'm not super keen on adding another environment variable (that would need to be documented in a v2 if we can't fix this some other way). Mattijs, do you have any ideas? -- Tom
signature.asc
Description: PGP signature
