With CONFIG_CMD_BOOTEFI=y, load command causes data abort
when path_to_uefi(fp->str, path) tries to write uefi path out of
bounds of u16 str[] array (check efi_device_path_file_path struct for
details). This is caused by unproper handling of void *buf pointer
in efi_dp_from_file(), particularly when the buf pointer value is changed
after dp_part_fill() invocation.
> load usb 0:1 0x12000000 imx6dl-colibri-eval-v3.dtb
pc : [<2fab48ae>] lr : [<2fab4339>]
reloc pc : [<178338ae>] lr : [<17833339>]
sp : 2da77120 ip : 00000003 fp : 00000005
r10: 2daa31d0 r9 : 2da80ea8 r8 : 00000001
r7 : 2daa3098 r6 : 2ca75040 r5 : 2da77148 r4 : 0000003a
r3 : 00000069 r2 : 2ca750a3 r1 : 2daa3104 r0 : 2ca7509f
Flags: nzCv IRQs off FIQs off Mode SVC_32
Code: 4630fb31 81f0e8bd e7d84606 bf082b2f (f822235c)
Resetting CPU ...
With the change suggested:
> load usb 0:1 0x12000000 imx6dl-colibri-eval-v3.dtb
5675440 bytes read in 188 ms (28.8 MiB/s)
Signed-off-by: Igor Opaniuk <igor.opan...@toradex.com>
---
lib/efi_loader/efi_device_path.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c
index 53b40c8c3c..97b4356167 100644
--- a/lib/efi_loader/efi_device_path.c
+++ b/lib/efi_loader/efi_device_path.c
@@ -829,7 +829,7 @@ struct efi_device_path *efi_dp_from_file(struct blk_desc
*desc, int part,
buf = dp_part_fill(buf, desc, part);
/* add file-path: */
- fp = buf;
+ fp = start;
fp->dp.type = DEVICE_PATH_TYPE_MEDIA_DEVICE;
fp->dp.sub_type = DEVICE_PATH_SUB_TYPE_FILE_PATH;
fp->dp.length = fpsize;
--
2.17.1
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
