diff options
author | Cyril Bur <cyril.bur@au1.ibm.com> | 2016-07-05 16:12:47 +1000 |
---|---|---|
committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2016-07-05 18:04:13 +1000 |
commit | 37550b7059edaaaf80e45cd93a7235f948687fe9 (patch) | |
tree | b917e9bc6e796e4cdb9872a1fd8ce89296387926 /libflash | |
parent | a820ed5d622756fe6d2dc248656f6ef87d477634 (diff) | |
download | skiboot-37550b7059edaaaf80e45cd93a7235f948687fe9.zip skiboot-37550b7059edaaaf80e45cd93a7235f948687fe9.tar.gz skiboot-37550b7059edaaaf80e45cd93a7235f948687fe9.tar.bz2 |
libflash: Add sanity checks to ffs init code.
Quite a lot of code relies on values read from flash. These values
shouldn't be totally trusted without at least basic sanity checks.
Fixes coverity bug: 119719
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'libflash')
-rw-r--r-- | libflash/libffs.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/libflash/libffs.c b/libflash/libffs.c index 4d57992..8134962 100644 --- a/libflash/libffs.c +++ b/libflash/libffs.c @@ -137,11 +137,33 @@ int ffs_init(uint32_t offset, uint32_t max_size, struct blocklevel_device *bl, goto out; } + /* Check header is sane */ + if ((f->hdr.block_size * f->hdr.size) > max_size) { + rc = FLASH_ERR_PARM_ERROR; + FL_ERR("FFS: Flash header exceeds max flash size\n"); + goto out; + } + + if ((f->hdr.entry_size * f->hdr.entry_count) > + (f->hdr.block_size * f->hdr.size)) { + rc = FLASH_ERR_PARM_ERROR; + FL_ERR("FFS: Flash header entries exceeds available blocks\n"); + goto out; + } + /* * Decide how much of the image to grab to get the whole * partition map. */ f->cached_size = f->hdr.block_size * f->hdr.size; + /* Check for overflow or a silly size */ + if (!f->hdr.size || f->cached_size / f->hdr.size != f->hdr.block_size) { + rc= FLASH_ERR_MALLOC_FAILED; + FL_ERR("FFS: Cache size overflow (0x%x * 0x%x)\n", + f->hdr.block_size, f->hdr.size); + goto out; + } + FL_DBG("FFS: Partition map size: 0x%x\n", f->cached_size); /* Allocate cache */ |