diff options
Diffstat (limited to 'config/coreboot/coreboot413/patches/0001-cbfstool-Make-use-of-spurious-null-termination.patch')
| -rw-r--r-- | config/coreboot/coreboot413/patches/0001-cbfstool-Make-use-of-spurious-null-termination.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/config/coreboot/coreboot413/patches/0001-cbfstool-Make-use-of-spurious-null-termination.patch b/config/coreboot/coreboot413/patches/0001-cbfstool-Make-use-of-spurious-null-termination.patch new file mode 100644 index 00000000..dfc684e1 --- /dev/null +++ b/config/coreboot/coreboot413/patches/0001-cbfstool-Make-use-of-spurious-null-termination.patch @@ -0,0 +1,56 @@ +From f22f408956bf02609a96b7d72fb3321da159bfc6 Mon Sep 17 00:00:00 2001 +From: Nico Huber <nico.huber@secunet.com> +Date: Tue, 22 Jun 2021 13:49:44 +0000 +Subject: [PATCH 1/1] cbfstool: Make use of spurious null-termination + +The null-termination of `filetypes` was added after the code was +written, obviously resulting in NULL dereferences. As some more +code has grown around the termination, it's hard to revert the +regression, so let's update the code that still used the array +length. + +This fixes commit 7f5f9331d1 (util/cbfstool: fix buffer over-read) +which actually did fix something, but only one path while it broke +two others. We should be careful with fixes, they can always break +something else. Especially when a dumb tool triggered the patching +it seems likely that fewer people looked into related code. + +Change-Id: If2ece1f5ad62952ed2e57769702e318ba5468f0c +Signed-off-by: Nico Huber <nico.huber@secunet.com> +Reviewed-on: https://review.coreboot.org/c/coreboot/+/55763 +Tested-by: build bot (Jenkins) <no-reply@coreboot.org> +Reviewed-by: Julius Werner <jwerner@chromium.org> +--- + util/cbfstool/common.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/util/cbfstool/common.c b/util/cbfstool/common.c +index e2ed38ffc4..539d0baccf 100644 +--- a/util/cbfstool/common.c ++++ b/util/cbfstool/common.c +@@ -168,10 +168,10 @@ void print_supported_architectures(void) + + void print_supported_filetypes(void) + { +- int i, number = ARRAY_SIZE(filetypes); ++ int i; + +- for (i=0; i<number; i++) { +- printf(" %s%c", filetypes[i].name, (i==(number-1))?'\n':','); ++ for (i=0; filetypes[i].name; i++) { ++ printf(" %s%c", filetypes[i].name, filetypes[i + 1].name ? ',' : '\n'); + if ((i%8) == 7) + printf("\n"); + } +@@ -180,7 +180,7 @@ void print_supported_filetypes(void) + uint64_t intfiletype(const char *name) + { + size_t i; +- for (i = 0; i < (sizeof(filetypes) / sizeof(struct typedesc_t)); i++) ++ for (i = 0; filetypes[i].name; i++) + if (strcmp(filetypes[i].name, name) == 0) + return filetypes[i].type; + return -1; +-- +2.39.2 + |