diff options
| author | Gabe Black <gabeblack@chromium.org> | 2011-12-20 01:46:46 -0800 |
|---|---|---|
| committer | Gabe Black <gabeblack@chromium.org> | 2011-12-20 17:54:47 -0800 |
| commit | fe623bdec87124735ae59fce52aea05782f688ca (patch) | |
| tree | 69f6762884e1ef96490415d9e6e09704f7f4f139 /common/cmd_vbexport_test.c | |
| parent | 63b3a649ddf4df0bb5b010b0a8d1e3c6c31f85f2 (diff) | |
Security: Make sure not to overflow the in memory version of the GBB
This is a revised version of this patch which fixes an ARM bug.
This change plumbs the size of the GBB specified in the device tree to the
functions that read it from the flash into memory, and adds checks to those
functions to make sure they don't spill out of the in memory GBB. From a
security standpoint this is a largely theoretical problem since the GBB is
in the read only portion of flash and if that can be modified the machine
is totally compromised, but it's possible somehow an attacker could force
vboot to read the GBB from the wrong place. From a practical perspective
it's not a bad idea to check this to avoid accidental memory corruption.
BUG=chromium-os:24223
TEST=Built and booted on Lumpy. Built for Kaen.
Change-Id: I90d23fd6e055db595af12b1bd63d9932cbffe7ae
Signed-off-by: Gabe Black <gabeblack@google.com>
Reviewed-on: https://gerrit.chromium.org/gerrit/13279
Tested-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Gabe Black <gabeblack@chromium.org>
Diffstat (limited to 'common/cmd_vbexport_test.c')
| -rw-r--r-- | common/cmd_vbexport_test.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/common/cmd_vbexport_test.c b/common/cmd_vbexport_test.c index c267e12f47..cf7b9f95ac 100644 --- a/common/cmd_vbexport_test.c +++ b/common/cmd_vbexport_test.c @@ -403,10 +403,10 @@ static uint8_t *read_gbb_from_firmware(void) firmware_storage_t file; struct twostop_fmap fmap; void *gbb; - size_t size; + size_t gbb_size; gbb = fdt_decode_chromeos_alloc_region(gd->blob, - "google-binary-block", &size); + "google-binary-block", &gbb_size); if (!gbb) { VbExDebug("Failed to find gbb region!\n"); return NULL; @@ -423,12 +423,13 @@ static uint8_t *read_gbb_from_firmware(void) return NULL; } - if (gbb_init(gbb, &file, fmap.readonly.gbb.offset)) { + if (gbb_init(gbb, &file, fmap.readonly.gbb.offset, gbb_size)) { VbExDebug("Failed to read GBB!\n"); return NULL; } - if (gbb_read_bmp_block(gbb, &file, fmap.readonly.gbb.offset)) { + if (gbb_read_bmp_block(gbb, &file, fmap.readonly.gbb.offset, + gbb_size)) { VbExDebug("Failed to load BMP Block in GBB!\n"); return NULL; } |