From: Suzuki K. Poulose <suzuki@xxxxxxxxxx>
For payloads without any compression, the image->len
is set to the length of the entire uImage which includes
the uImage header. This should be filled in from
ih_size field of the uImage header.
This can cause a buffer overflow, leading the sha256_process
to overrun the initrd buffer. Also, prevents a vulnerability
where the image has been appended with additional data. The
crc check is performed only when compiled with zlib.
TODO: Implement CRC check if ZLIB is not compiled in.
Reported-by: Nathan Miller <nathanm2 at us.ibm.com>
Signed-off-by: Suzuki K. Poulose <suzuki at in.ibm.com>
---
kexec/kexec-uImage.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/kexec/kexec-uImage.c b/kexec/kexec-uImage.c
index 3799a3b..9e275b2 100644
--- a/kexec/kexec-uImage.c
+++ b/kexec/kexec-uImage.c
@@ -208,14 +208,25 @@ int uImage_load(const unsigned char *buf, off_t len, struct Image_info *image)
{
const struct image_header *header = (const struct image_header *)buf;
const unsigned char *img_buf = buf + sizeof(struct image_header);
- off_t img_len = len - sizeof(struct image_header);
+ off_t img_len = header->ih_size;
+
+ /*
+ * Prevent loading a modified image.
+ * CRC check is perfomed only when zlib is compiled
+ * in. This check will help us to detect
+ * size related vulnerabilities.
+ */
+ if (img_len != (len - sizeof(struct image_header))) {
+ printf("Image size doesn't match the header\n");
+ return -1;
+ }
image->base = cpu_to_be32(header->ih_load);
image->ep = cpu_to_be32(header->ih_ep);
switch (header->ih_comp) {
case IH_COMP_NONE:
image->buf = img_buf;
- image->len = len;
+ image->len = img_len;
return 0;
break;
