diff options
author | Gabe Black <gabeblack@chromium.org> | 2011-12-19 22:11:22 -0800 |
---|---|---|
committer | Gabe Black <gabeblack@chromium.org> | 2011-12-20 14:20:58 -0800 |
commit | 66138ad0bfb2442404287966521166b6dd01bc16 (patch) | |
tree | 70691b3abf49a866613d2aff0c20c72387ec884e /lib | |
parent | 33bfb5df7c4997e2690227c45621f68db06dbfb3 (diff) |
Security: Fix a security bug in the border_check function.
Because the offset and count parameters for the border_check function are
unsigned, their total could overflow a uint32_t and end up wrapping to look
smaller than the size of the flash even though it's mathematically larger.
This change adds a check for that overflow.
BUG=chromium-os:24222
TEST=Built and booted on a Lumpy.
Change-Id: I63b04dcb519f740f6d591301bc3d4d533bbd4e05
Signed-off-by: Gabe Black <gabeblack@google.com>
Reviewed-on: https://gerrit.chromium.org/gerrit/13219
Reviewed-by: Che-Liang Chiou <clchiou@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
Tested-by: Gabe Black <gabeblack@chromium.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/chromeos/firmware_storage_spi.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/chromeos/firmware_storage_spi.c b/lib/chromeos/firmware_storage_spi.c index a2d80b585b0..63e775a1427 100644 --- a/lib/chromeos/firmware_storage_spi.c +++ b/lib/chromeos/firmware_storage_spi.c @@ -34,12 +34,15 @@ static int border_check(struct spi_flash *flash, uint32_t offset, uint32_t count) { + uint32_t max_offset = offset + count; + if (offset >= flash->size) { VBDEBUG(PREFIX "at EOF\n"); return -1; } - if (offset + count > flash->size) { + /* max_offset will be less than offset iff overflow occurred. */ + if (max_offset < offset || max_offset > flash->size) { VBDEBUG(PREFIX "exceed range\n"); return -1; } |