Alexandre Rebert has uploaded a new patch set (#2). ( https://review.coreboot.org/c/coreboot/+/39177 )
Change subject: libpayload: cbfs: fix infinite loop in cbfs_get_{handle,attr} ......................................................................
libpayload: cbfs: fix infinite loop in cbfs_get_{handle,attr}
cbfs_get_handle() and cbfs_get_attr() are both looping over elements to find a particular one. Each element header contains the element's length, which is used to compute the next element's offset. Invalid or corrupted CBFS files could lead to infinite loops where the offset would remain constant across iterations, due to 0-length elements or integer overflows in the computation of the next offset.
This patch makes both functions more robust by adding a check that ensure offsets are strictly monotonic. Instead of infinite looping, the functions are now printing an ERROR and returning a NULL value.
Change-Id: I440e82fa969b8c2aacc5800e7e26450c3b97c74a Signed-off-by: Alex Rebert alexandre.rebert@gmail.com Found-by: Mayhem --- M payloads/libpayload/libcbfs/cbfs_core.c 1 file changed, 17 insertions(+), 4 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/39177/2