[coreboot-gerrit] New patch to review for coreboot: util/cbfstool: Improve heuristic for cbfs header pointer protection
Patrick Georgi (pgeorgi@google.com)
gerrit at coreboot.org
Wed Feb 10 18:10:51 CET 2016
Patrick Georgi (pgeorgi at google.com) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/13672
-gerrit
commit a54672ba73da6d834dbe3ee88de0353b39d89cb2
Author: Patrick Georgi <pgeorgi at chromium.org>
Date: Wed Feb 10 18:07:52 2016 +0100
util/cbfstool: Improve heuristic for cbfs header pointer protection
cbfstool has a routine to deal with old images that may encourage it to
overwrite the master header. That routine is triggered for
"cbfstool add-master-header" prepared images even though these are not
at risk, and - worse - destroys the chain structure (through a negative
file length), so avoid touching such images.
Change-Id: I9d0bbe3e6300b9b9f3e50347737d1850f83ddad8
Signed-off-by: Patrick Georgi <pgeorgi at chromium.org>
---
util/cbfstool/cbfs_image.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/util/cbfstool/cbfs_image.c b/util/cbfstool/cbfs_image.c
index 314ea57..65d7f7c 100644
--- a/util/cbfstool/cbfs_image.c
+++ b/util/cbfstool/cbfs_image.c
@@ -110,6 +110,9 @@ static int cbfs_fix_legacy_size(struct cbfs_image *image, char *hdr_loc)
// A bug in old cbfstool may produce extra few bytes (by alignment) and
// cause cbfstool to overwrite things after free space -- which is
// usually CBFS header on x86. We need to workaround that.
+ // Except when the last file is smaller than the header alignment,
+ // since that's a pretty good clue that the last file exists to guard
+ // the header pointer (and the master header is in a file, too).
struct cbfs_file *entry, *first = NULL, *last = NULL;
for (first = entry = cbfs_find_first_entry(image);
@@ -118,7 +121,8 @@ static int cbfs_fix_legacy_size(struct cbfs_image *image, char *hdr_loc)
last = entry;
}
if ((char *)first < (char *)hdr_loc &&
- (char *)entry > (char *)hdr_loc) {
+ (char *)entry > (char *)hdr_loc &&
+ (ntohl(last->len) > image->header.align)) {
WARN("CBFS image was created with old cbfstool with size bug. "
"Fixing size in last entry...\n");
last->len = htonl(ntohl(last->len) - image->header.align);
More information about the coreboot-gerrit
mailing list