Edward O'Callaghan has uploaded this change for review. ( https://review.coreboot.org/c/flashrom/+/61545 )
Change subject: fmap.c: Avoid undefined behaviour with fmap_lsearch([len:=0]) ......................................................................
fmap.c: Avoid undefined behaviour with fmap_lsearch([len:=0])
Calling libflashrom entry-points that internally dispatch to fmap_lsearch() can result in a integer overflow. Therefore validate the length paramter before attempting to use it.
BUG=none TEST=`make`
Change-Id: Ifb408c55c3b69ddff453dcc704b7389298050473 Signed-off-by: Edward O'Callaghan quasisec@google.com Spotted-by: Julius Werner jwerner@chromium.org --- M fmap.c 1 file changed, 3 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/flashrom refs/changes/45/61545/1
diff --git a/fmap.c b/fmap.c index b18cbf7..bb7c0d9 100644 --- a/fmap.c +++ b/fmap.c @@ -96,6 +96,9 @@ off_t offset; bool fmap_found = 0;
+ if (len == 0) + return -1; + for (offset = 0; offset <= (off_t)(len - sizeof(struct fmap)); offset++) { if (is_valid_fmap((struct fmap *)&buf[offset])) { fmap_found = 1;