From: Chris Morgan <[email protected]>
It looks like under certain circumstances when reading the vendor_boot
partition it causes my device to write outside the range of memory
available. Near as I can tell this occurs because
scan_vendor_boot_part() calls android_image_get_vendor_bootimg_size()
which calls android_vendor_boot_image_v3_v4_parse_hdr() which calls
add_trailer() which attempts to copy information to a buffer allocated
with malloc in the scan_vendor_boot_part() function. On my board the
memory set aside for malloc is at the top of the system RAM, and given
a large enough vendor boot image size this causes the write from
add_trailer() to occur outside of the system RAM (nevermind outside
of what was allocated with the malloc().
While I don't know the absolute best way to handle this, I would assume
that if we simply map the memory we want to use to where we will
eventually load the vendor_boot image that would be the most logical.
Fixes: abadcda24b10 ("bootstd: android: don't read whole partition sizes")
Signed-off-by: Chris Morgan <[email protected]>
---
boot/bootmeth_android.c | 20 ++++++--------------
1 file changed, 6 insertions(+), 14 deletions(-)
diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index 1374551dbeb..c2c25d53ef3 100644
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -118,9 +118,10 @@ static int scan_vendor_boot_part(struct udevice *blk,
struct android_priv *priv)
struct blk_desc *desc = dev_get_uclass_plat(blk);
struct disk_partition partition;
char partname[PART_NAME_LEN];
- ulong num_blks, bufsz;
+ ulong num_blks;
char *buf;
int ret;
+ ulong vloadaddr = env_get_hex("vendor_boot_comp_addr_r", 0);
if (priv->slot)
sprintf(partname, VENDOR_BOOT_PART_NAME "_%s", priv->slot);
@@ -132,28 +133,19 @@ static int scan_vendor_boot_part(struct udevice *blk,
struct android_priv *priv)
return log_msg_ret("part info", ret);
num_blks = DIV_ROUND_UP(sizeof(struct andr_vnd_boot_img_hdr),
desc->blksz);
- bufsz = num_blks * desc->blksz;
- buf = malloc(bufsz);
+ buf = map_sysmem(vloadaddr, 0);
if (!buf)
return log_msg_ret("buf", -ENOMEM);
ret = blk_read(blk, partition.start, num_blks, buf);
- if (ret != num_blks) {
- free(buf);
+ if (ret != num_blks)
return log_msg_ret("part read", -EIO);
- }
- if (!is_android_vendor_boot_image_header(buf)) {
- free(buf);
+ if (!is_android_vendor_boot_image_header(buf))
return log_msg_ret("header", -ENOENT);
- }
- if (!android_image_get_vendor_bootimg_size(buf,
&priv->vendor_boot_img_size)) {
- free(buf);
+ if (!android_image_get_vendor_bootimg_size(buf,
&priv->vendor_boot_img_size))
return log_msg_ret("get vendor bootimg size", -EINVAL);
- }
-
- free(buf);
return 0;
}
--
2.43.0
