core/flash: Validate secure boot content size

[ Upstream commit e2018d2a3d46491dc2abd758c67c1937910b3a67 ]

Currently we don't check if the secure boot payload size fits within
the partition that we are reading it from. This results in strange
failures later on in boot if we cross the boundary between an ECCed
and a non-ECCed partition since libflash does not support reading
from regions with mixed ECC status.

Without this patch:

blocklevel_read: Can't cope with partial ecc
FLASH: failed to read content size 15728640 BOOTKERNEL partition, rc 3

With:

FLASH: Cannot load BOOTKERNEL. Content is larger than the partition

Cc: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Acked-by: Stewart Smith <stewart@flamingspork.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/core/flash.c b/core/flash.c
index bfa4a72..67c39c2 100644
--- a/core/flash.c
+++ b/core/flash.c
@@ -631,6 +631,10 @@ static int flash_load_resource(enum resource_id id, uint32_t subid,
 	prlog(PR_DEBUG,"FLASH: %s partition %s ECC\n",
 	      name, ecc  ? "has" : "doesn't have");
 
+	/*
+	 * FIXME: Make the fact we don't support partitions smaller than 4K
+	 *  	  more explicit.
+	 */
 	if (ffs_part_size < SECURE_BOOT_HEADERS_SIZE) {
 		prerror("FLASH: secboot headers bigger than "
 			"partition size 0x%x\n", ffs_part_size);
@@ -668,6 +672,13 @@ static int flash_load_resource(enum resource_id id, uint32_t subid,
 			goto out_free_ffs;
 		}
 
+		if (*len > ffs_part_size) {
+			prerror("FLASH: Cannot load %s. Content is larger than the partition\n",
+					name);
+			rc = OPAL_PARAMETER;
+			goto out_free_ffs;
+		}
+
 		ffs_part_start += SECURE_BOOT_HEADERS_SIZE;
 
 		rc = blocklevel_read(flash->bl, ffs_part_start, bufp,