commit 4e75a27a5f31d4cbf72793f0ccd3bd4011829524
author Andrew Jeffery <andrew@aj.id.au> Thu Mar 14 17:24:38 2019 +1030
committer Andrew Jeffery <andrew@aj.id.au> Mon Mar 18 10:45:41 2019 +1030
tree cc3e180d5a10bd790c7c67e3deca88da05748652
parent 2dfc2a22a26b8726b1da336e952c3d05ebe02aed

vpnor: Test if HBB placement exceeds reserved memory bounds

If a host firmware image is provided where the placement of HBB exceeds
the reserved memory size then an out-of-bounds write would occur.

Change-Id: I0a98cb7417511cc8dd5bd2e12c9232ebc912dcd6
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>

vpnor/mboxd_pnor_partition_table.cpp

diff --git a/vpnor/mboxd_pnor_partition_table.cpp b/vpnor/mboxd_pnor_partition_table.cpp
index 9a82151..a6ebd4e 100644
--- a/vpnor/mboxd_pnor_partition_table.cpp
+++ b/vpnor/mboxd_pnor_partition_table.cpp
@@ -100,16 +100,20 @@
 
         size_t tocOffset = 0;
 
-        // Copy TOC
-        flash_copy(&local, tocOffset,
-                   static_cast<uint8_t*>(context->mem) + tocStart,
-                   blTable.capacity());
         const pnor_partition& partition = blTable.partition(blPartitionName);
         size_t hbbOffset = partition.data.base * eraseSize;
         uint32_t hbbSize = partition.data.actual;
-        // Copy HBB
-        flash_copy(&local, hbbOffset,
-                   static_cast<uint8_t*>(context->mem) + hbbOffset, hbbSize);
+
+        if (context->mem_size < tocStart + blTable.capacity() ||
+            context->mem_size < hbbOffset + hbbSize)
+        {
+            MSG_ERR("Reserved memory too small for dumb bootstrap\n");
+            return -EINVAL;
+        }
+
+        uint8_t* buf8 = static_cast<uint8_t*>(context->mem);
+        flash_copy(&local, tocOffset, buf8 + tocStart, blTable.capacity());
+        flash_copy(&local, hbbOffset, buf8 + hbbOffset, hbbSize);
     }
     catch (err::InternalFailure& e)
     {