From: Alison Chaiken <ali...@peloton-tech.com>
Strings read from devices may sometimes fail to be
NULL-terminated. The functions in lib/string.c are subject to
failure in this case. Protect against observed failures in
set_gpt_info() by switching to length-checking variants with a length
limit of the maximum possible partition table length. At the same
time, add a few checks for NULL string pointers.
Here is an example as observed in sandbox under GDB:
=> gpt verify host 0 $partitions
Program received signal SIGSEGV, Segmentation fault.
0x0000000000477747 in strlen (s=0x0) at lib/string.c:267
267 for (sc = s; *sc != '\0'; ++sc)
(gdb) bt
#0 0x0000000000477747 in strlen (s=0x0) at lib/string.c:267
#1 0x00000000004140b2 in set_gpt_info (str_part=<optimized out>,
str_disk_guid=str_disk_guid@entry=0x7fffffffdbe8,
partitions=partitions@entry=0x7fffffffdbd8,
parts_count=parts_count@entry=0x7fffffffdbcf "", dev_desc=<optimized out>)
at cmd/gpt.c:415
#2 0x00000000004145b9 in gpt_verify (str_part=<optimized out>,
blk_dev_desc=0x7fffef09a9d0) at cmd/gpt.c:580
#3 do_gpt (cmdtp=<optimized out>, flag=<optimized out>, argc=<optimized
out>, argv=0x7fffef09a8f0)
at cmd/gpt.c:783
#4 0x00000000004295b0 in cmd_call (argv=0x7fffef09a8f0, argc=0x5,
flag=<optimized out>,
cmdtp=0x714e20 <_u_boot_list_2_cmd_2_gpt>) at common/command.c:500
#5 cmd_process (flag=<optimized out>, argc=0x5, argv=0x7fffef09a8f0,
repeatable=repeatable@entry=0x726c04 <flag_repeat>, ticks=ticks@entry=0x0)
at common/command.c:539
Suggested-by: Lothar Waßmann <l...@karo-electronics.de>
Signed-off-by: Alison Chaiken <ali...@peloton-tech.com>
---
cmd/gpt.c | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/cmd/gpt.c b/cmd/gpt.c
index 73bf273..8bd7bdf 100644
--- a/cmd/gpt.c
+++ b/cmd/gpt.c
@@ -233,7 +233,7 @@ static void print_gpt_info(void)
}
}
-#ifdef CONFIG_CMD_GPT_RENAME
+
static int calc_parts_list_len(int numparts)
{
int partlistlen = UUID_STR_LEN + 1 + strlen("uuid_disk=");
@@ -253,6 +253,7 @@ static int calc_parts_list_len(int numparts)
return partlistlen;
}
+#ifdef CONFIG_CMD_GPT_RENAME
/*
* create the string that upstream 'gpt write' command will accept as an
* argument
@@ -381,6 +382,7 @@ static int set_gpt_info(struct blk_desc *dev_desc,
int errno = 0;
uint64_t size_ll, start_ll;
lbaint_t offset = 0;
+ int max_str_part = calc_parts_list_len(MAX_SEARCH_PARTITIONS);
debug("%s: lba num: 0x%x %d\n", __func__,
(unsigned int)dev_desc->lba, (unsigned int)dev_desc->lba);
@@ -398,6 +400,8 @@ static int set_gpt_info(struct blk_desc *dev_desc,
if (!val) {
#ifdef CONFIG_RANDOM_UUID
*str_disk_guid = malloc(UUID_STR_LEN + 1);
+ if (str_disk_guid == NULL)
+ return -ENOMEM;
gen_rand_uuid_str(*str_disk_guid, UUID_STR_FORMAT_STD);
#else
free(str);
@@ -412,10 +416,14 @@ static int set_gpt_info(struct blk_desc *dev_desc,
/* Move s to first partition */
strsep(&s, ";");
}
- if (strlen(s) == 0)
+ if (s == NULL) {
+ printf("Error: is the partitions string NULL-terminated?\n");
+ return -EINVAL;
+ }
+ if (strnlen(s, max_str_part) == 0)
return -3;
- i = strlen(s) - 1;
+ i = strnlen(s, max_str_part) - 1;
if (s[i] == ';')
s[i] = '\0';
@@ -429,6 +437,8 @@ static int set_gpt_info(struct blk_desc *dev_desc,
/* allocate memory for partitions */
parts = calloc(sizeof(disk_partition_t), p_count);
+ if (parts == NULL)
+ return -ENOMEM;
/* retrieve partitions data from string */
for (i = 0; i < p_count; i++) {
@@ -450,12 +460,12 @@ static int set_gpt_info(struct blk_desc *dev_desc,
} else {
if (extract_env(val, &p))
p = val;
- if (strlen(p) >= sizeof(parts[i].uuid)) {
+ if (strnlen(p, max_str_part) >= sizeof(parts[i].uuid)) {
printf("Wrong uuid format for partition %d\n",
i);
errno = -4;
goto err;
}
- strcpy((char *)parts[i].uuid, p);
+ strncpy((char *)parts[i].uuid, p, max_str_part);
free(val);
}
#ifdef CONFIG_PARTITION_TYPE_GUID
@@ -465,13 +475,13 @@ static int set_gpt_info(struct blk_desc *dev_desc,
/* 'type' is optional */
if (extract_env(val, &p))
p = val;
- if (strlen(p) >= sizeof(parts[i].type_guid)) {
+ if (strnlen(p, max_str_part) >=
sizeof(parts[i].type_guid)) {
printf("Wrong type guid format for partition
%d\n",
i);
errno = -4;
goto err;
}
- strcpy((char *)parts[i].type_guid, p);
+ strncpy((char *)parts[i].type_guid, p, max_str_part);
free(val);
}
#endif
@@ -483,11 +493,11 @@ static int set_gpt_info(struct blk_desc *dev_desc,
}
if (extract_env(val, &p))
p = val;
- if (strlen(p) >= sizeof(parts[i].name)) {
+ if (strnlen(p, max_str_part) >= sizeof(parts[i].name)) {
errno = -4;
goto err;
}
- strcpy((char *)parts[i].name, p);
+ strncpy((char *)parts[i].name, p, max_str_part);
free(val);
/* size */
--
2.1.4
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
