diff options
| author | Simon Glass <sjg@chromium.org> | 2011-12-20 15:53:20 -0800 |
|---|---|---|
| committer | Simon Glass <sjg@chromium.org> | 2011-12-20 17:17:14 -0800 |
| commit | 4bb9fddcf0c366008c276aee8a08590dc85ea83d (patch) | |
| tree | a19ebd5819a139e19b13b8d00792f829ba06920b /lib/chromeos | |
| parent | a3e0bc8e4e66da7119bf954b1747f70c92e1466b (diff) | |
Revert "Security: Make sure not to overflow the in memory version of the GBB"
This breaks recovery mode on Kaen - the bitmaps are not displayed.
This reverts commit e1153e1f56ebebff188f3693e534f10bd68e6f07
Change-Id: I300ae39382dc1960bb0375ad660a88b65181edc9
Reviewed-on: https://gerrit.chromium.org/gerrit/13274
Reviewed-by: Gabe Black (Do Not Use) <gabeblack@google.com>
Commit-Ready: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'lib/chromeos')
| -rw-r--r-- | lib/chromeos/gbb.c | 35 |
1 files changed, 4 insertions, 31 deletions
diff --git a/lib/chromeos/gbb.c b/lib/chromeos/gbb.c index b2ab343b6f..25d5741318 100644 --- a/lib/chromeos/gbb.c +++ b/lib/chromeos/gbb.c @@ -16,28 +16,16 @@ #define PREFIX "gbb: " -int gbb_init(read_buf_type gbb, firmware_storage_t *file, uint32_t gbb_offset, - size_t gbb_size) +int gbb_init(read_buf_type gbb, firmware_storage_t *file, uint32_t gbb_offset) { #ifndef CONFIG_HARDWARE_MAPPED_SPI GoogleBinaryBlockHeader *gbbh = (GoogleBinaryBlockHeader *)gbb; - uint32_t hwid_end; - uint32_t rootkey_end; if (file->read(file, gbb_offset, sizeof(*gbbh), gbbh)) { VBDEBUG(PREFIX "failed to read GBB header\n"); return 1; } - hwid_end = gbbh->hwid_offset + gbbh->hwid_size; - rootkey_end = gbbh->rootkey_offset + gbbh->rootkey_size; - if (hwid_end < gbbh->hwid_offset || hwid_end >= gbb_size || - rootkey_end < gbbh->rootkey_offset || - rootkey_end >= gbb_size) { - VBDEBUG(PREFIX "invalid gbb header entries"); - return 1; - } - if (file->read(file, gbb_offset + gbbh->hwid_offset, gbbh->hwid_size, gbb + gbbh->hwid_offset)) { @@ -52,7 +40,6 @@ int gbb_init(read_buf_type gbb, firmware_storage_t *file, uint32_t gbb_offset, return 1; } #else - /* No data is actually moved in this case so no bounds checks. */ if (file->read(file, gbb_offset, sizeof(GoogleBinaryBlockHeader), gbb)) { VBDEBUG(PREFIX "failed to read GBB header\n"); @@ -64,16 +51,9 @@ int gbb_init(read_buf_type gbb, firmware_storage_t *file, uint32_t gbb_offset, } #ifndef CONFIG_HARDWARE_MAPPED_SPI -int gbb_read_bmp_block(void *gbb, firmware_storage_t *file, uint32_t gbb_offset, - size_t gbb_size) +int gbb_read_bmp_block(void *gbb, firmware_storage_t *file, uint32_t gbb_offset) { GoogleBinaryBlockHeader *gbbh = (GoogleBinaryBlockHeader *)gbb; - uint32_t bmpfv_end = gbbh->bmpfv_offset + gbbh->bmpfv_size; - - if (bmpfv_end < gbbh->bmpfv_offset || bmpfv_end >= gbb_size) { - VBDEBUG(PREFIX "invalid gbb header entries"); - return 1; - } if (file->read(file, gbb_offset + gbbh->bmpfv_offset, gbbh->bmpfv_size, @@ -85,17 +65,10 @@ int gbb_read_bmp_block(void *gbb, firmware_storage_t *file, uint32_t gbb_offset, return 0; } -int gbb_read_recovery_key(void *gbb, firmware_storage_t *file, - uint32_t gbb_offset, size_t gbb_size) +int gbb_read_recovery_key(void *gbb, + firmware_storage_t *file, uint32_t gbb_offset) { GoogleBinaryBlockHeader *gbbh = (GoogleBinaryBlockHeader *)gbb; - uint32_t rkey_end = gbbh->recovery_key_offset + - gbbh->recovery_key_size; - - if (rkey_end < gbbh->recovery_key_offset || rkey_end >= gbb_size) { - VBDEBUG(PREFIX "invalid gbb header entries"); - return 1; - } if (file->read(file, gbb_offset + gbbh->recovery_key_offset, gbbh->recovery_key_size, |