update config/submodule/coreboot
i forgot to update it, when updating coreboot revs based on lbmk. Signed-off-by: Leah Rowe <info@minifree.org>master
parent
01331db17f
commit
1d9f56bdf7
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.mirrorservice.org/sites/libreboot.org/release/misc/acpica/R06_28_23.tar.gz"
|
|
||||||
subfile_bkup="https://mirror.math.princeton.edu/pub/libreboot/misc/acpica/R06_28_23.tar.gz"
|
|
||||||
subhash="d64091202866cd306fef08bbf95b585584331704fdbe5ef0bfa99c8f9cb188e51a52880625c8d6bc971b3d251c8b13686b43a013058cadda861efe09b219c1b0"
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
subfile="https://www.mirrorservice.org/sites/libreboot.org/release/misc/acpica/acpica-unix-20230628.tar.gz"
|
||||||
|
subfile_bkup="https://mirror.math.princeton.edu/pub/libreboot/misc/acpica/acpica-unix-20230628.tar.gz"
|
||||||
|
subhash="d726e69ebd8b8110690e3aff8d1919b43b0a2185efdeb9131ea8d89d321ca3a318a89c721ea740ae366f31ed3d1c11c2906f8807ee8a190e6f67fe5b2023cea4"
|
|
@ -1,3 +1,3 @@
|
||||||
subrepo="https://review.coreboot.org/arm-trusted-firmware.git"
|
subrepo="https://review.coreboot.org/arm-trusted-firmware.git"
|
||||||
subrepo_bkup="https://github.com/coreboot/arm-trusted-firmware"
|
subrepo_bkup="https://github.com/coreboot/arm-trusted-firmware"
|
||||||
subhash="23d6774ab53ded09d8065a184b4763504e9c8d9e"
|
subhash="c5b8de86c8838d08d5d8c9d67c7a432817ee62b8"
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.mirrorservice.org/sites/ftp.gnu.org/gnu/binutils/binutils-2.41.tar.xz"
|
|
||||||
subfile_bkup="https://ftp.nluug.nl/pub/gnu/binutils/binutils-2.41.tar.xz"
|
|
||||||
subhash="5df45d0bd6ddabdce4f35878c041e46a92deef01e7dea5facc97fd65cc06b59abc6fba0eb454b68e571c7e14038dc823fe7f2263843e6e627b7444eaf0fe9374"
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
subfile="https://www.mirrorservice.org/sites/ftp.gnu.org/gnu/binutils/binutils-2.42.tar.xz"
|
||||||
|
subfile_bkup="https://ftp.nluug.nl/pub/gnu/binutils/binutils-2.42.tar.xz"
|
||||||
|
subhash="155f3ba14cd220102f4f29a4f1e5cfee3c48aa03b74603460d05afb73c70d6657a9d87eee6eb88bf13203fe6f31177a5c9addc04384e956e7da8069c8ecd20a6"
|
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.mirrorservice.org/sites/ftp.gnu.org/gnu/gcc/gcc-13.2.0/gcc-13.2.0.tar.xz"
|
|
||||||
subfile_bkup="https://ftp.nluug.nl/pub/gnu/gcc/gcc-13.2.0/gcc-13.2.0.tar.xz"
|
|
||||||
subhash="d99e4826a70db04504467e349e9fbaedaa5870766cda7c5cab50cdebedc4be755ebca5b789e1232a34a20be1a0b60097de9280efe47bdb71c73251e30b0862a2"
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
subfile="https://www.mirrorservice.org/sites/ftp.gnu.org/gnu/gcc/gcc-14.1.0/gcc-14.1.0.tar.xz"
|
||||||
|
subfile_bkup="https://ftp.nluug.nl/pub/gnu/gcc/gcc-14.1.0/gcc-14.1.0.tar.xz"
|
||||||
|
subhash="e9e224f2b26646fcf038d28dfa08b94c623bc57941f99894a321d01c600f7c68aff6b8837fd25e73e540de1f8de5606e98694a62cdcdfb525ce768b3ef6879ea"
|
|
@ -1,3 +1,3 @@
|
||||||
subrepo="https://review.coreboot.org/libgfxinit.git"
|
subrepo="https://review.coreboot.org/libgfxinit.git"
|
||||||
subrepo_bkup="https://github.com/coreboot/libgfxinit"
|
subrepo_bkup="https://github.com/coreboot/libgfxinit"
|
||||||
subhash="a4be8a21b0e2c752da0042c79aae5942418f53e2"
|
subhash="17cfc92f402493979783585b6581efbd98c0cf07"
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
From 2c29f01a18d0a104bcc4f785e3901de584d02d7e Mon Sep 17 00:00:00 2001
|
From ba078864500de99c26b6ea7e3fdcef19bca582a7 Mon Sep 17 00:00:00 2001
|
||||||
From: Nicholas Chin <nic.c3.14@gmail.com>
|
From: Nicholas Chin <nic.c3.14@gmail.com>
|
||||||
Date: Mon, 20 May 2024 10:10:03 -0600
|
Date: Mon, 20 May 2024 10:10:03 -0600
|
||||||
Subject: [PATCH] g45/hw-gfx-gma-plls.adb: Make reference clock frequency
|
Subject: [PATCH 1/1] g45/hw-gfx-gma-plls.adb: Make reference clock frequency
|
||||||
configurable
|
configurable
|
||||||
|
|
||||||
Instead of assuming a 96 MHz reference clock frequency, use the value
|
Instead of assuming a 96 MHz reference clock frequency, use the value
|
||||||
|
@ -16,7 +16,7 @@ Signed-off-by: Nicholas Chin <nic.c3.14@gmail.com>
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/common/g45/hw-gfx-gma-plls.adb b/common/g45/hw-gfx-gma-plls.adb
|
diff --git a/common/g45/hw-gfx-gma-plls.adb b/common/g45/hw-gfx-gma-plls.adb
|
||||||
index 67242f2..1aee576 100644
|
index 67242f2..5e970d7 100644
|
||||||
--- a/common/g45/hw-gfx-gma-plls.adb
|
--- a/common/g45/hw-gfx-gma-plls.adb
|
||||||
+++ b/common/g45/hw-gfx-gma-plls.adb
|
+++ b/common/g45/hw-gfx-gma-plls.adb
|
||||||
@@ -12,6 +12,8 @@
|
@@ -12,6 +12,8 @@
|
||||||
|
@ -38,5 +38,5 @@ index 67242f2..1aee576 100644
|
||||||
Valid => Success);
|
Valid => Success);
|
||||||
else
|
else
|
||||||
--
|
--
|
||||||
2.45.1
|
2.39.2
|
||||||
|
|
|
@ -2,10 +2,10 @@
|
||||||
3rdparty/libgfxinit
|
3rdparty/libgfxinit
|
||||||
3rdparty/libhwbase
|
3rdparty/libhwbase
|
||||||
3rdparty/vboot
|
3rdparty/vboot
|
||||||
util/crossgcc/tarballs/binutils-2.41.tar.xz
|
util/crossgcc/tarballs/binutils-2.42.tar.xz
|
||||||
util/crossgcc/tarballs/gcc-13.2.0.tar.xz
|
util/crossgcc/tarballs/gcc-14.1.0.tar.xz
|
||||||
util/crossgcc/tarballs/gmp-6.3.0.tar.xz
|
util/crossgcc/tarballs/gmp-6.3.0.tar.xz
|
||||||
util/crossgcc/tarballs/mpc-1.3.1.tar.gz
|
util/crossgcc/tarballs/mpc-1.3.1.tar.gz
|
||||||
util/crossgcc/tarballs/mpfr-4.2.1.tar.xz
|
util/crossgcc/tarballs/mpfr-4.2.1.tar.xz
|
||||||
util/crossgcc/tarballs/nasm-2.16.01.tar.bz2
|
util/crossgcc/tarballs/nasm-2.16.03.tar.bz2
|
||||||
util/crossgcc/tarballs/R06_28_23.tar.gz
|
util/crossgcc/tarballs/acpica-unix-20230628.tar.gz
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.nasm.us/pub/nasm/releasebuilds/2.16.01/nasm-2.16.01.tar.bz2"
|
|
||||||
subfile_bkup="https://coreboot.org/releases/crossgcc-sources/nasm-2.16.01.tar.bz2"
|
|
||||||
subhash="daecc50d0c04cfa1e8a09bbece808548478fc03834b0c3fb06a9da56d3b51697e2d09a469cef8a4761290cdfc65e0eb46d76b6ca11dfa1dcd1051882c5e7fd88"
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
subfile="https://www.nasm.us/pub/nasm/releasebuilds/2.16.03/nasm-2.16.03.tar.bz2"
|
||||||
|
subfile_bkup="https://www.mirrorservice.org/sites/distfiles.macports.org/nasm/nasm-2.16.03.tar.bz2"
|
||||||
|
subhash="f28445d368debdf44219cc57df33800a8c0e49186cd60836d4adfec7700d53b801d34aa9fc9bfda74169843f33a1e8b465e11292582eb968bb9c3a26f54dd172"
|
|
@ -1,3 +1,3 @@
|
||||||
subrepo="https://review.coreboot.org/vboot.git"
|
subrepo="https://review.coreboot.org/vboot.git"
|
||||||
subrepo_bkup="https://github.com/coreboot/vboot"
|
subrepo_bkup="https://github.com/coreboot/vboot"
|
||||||
subhash="3d37d2aafe1f941c532def2a1fbbb58c8dd84182"
|
subhash="4b12d392e5b12de29c582df4e717b1228e9f1594"
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
subrepo="https://review.coreboot.org/libgfxinit.git"
|
|
||||||
subrepo_bkup="https://github.com/coreboot/libgfxinit"
|
|
||||||
subhash="a4be8a21b0e2c752da0042c79aae5942418f53e2"
|
|
|
@ -1,3 +0,0 @@
|
||||||
subrepo="https://review.coreboot.org/libhwbase.git"
|
|
||||||
subrepo_bkup="https://github.com/coreboot/libhwbase"
|
|
||||||
subhash="584629b9f4771b7618951cec57df2ca3af9c6981"
|
|
|
@ -1,3 +0,0 @@
|
||||||
3rdparty/libgfxinit
|
|
||||||
3rdparty/libhwbase
|
|
||||||
3rdparty/vboot
|
|
|
@ -1,3 +0,0 @@
|
||||||
subrepo="https://review.coreboot.org/vboot.git"
|
|
||||||
subrepo_bkup="https://github.com/coreboot/vboot"
|
|
||||||
subhash="3d37d2aafe1f941c532def2a1fbbb58c8dd84182"
|
|
|
@ -1,178 +0,0 @@
|
||||||
From 195f61375aeec9eec16604ec59f6eda2e6058cc1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Luke T. Shumaker" <lukeshu@lukeshu.com>
|
|
||||||
Date: Thu, 30 May 2024 14:08:33 -0600
|
|
||||||
Subject: [PATCH 1/1] extract_vmlinuz.c: Fix the bounds check on
|
|
||||||
vmlinuz_header_{offset,size}
|
|
||||||
|
|
||||||
The check on vmlinuz_header_offset and vmlinuz_header_size is obviously
|
|
||||||
wrong:
|
|
||||||
|
|
||||||
if (!vmlinuz_header_size ||
|
|
||||||
kpart_data + vmlinuz_header_offset + vmlinuz_header_size >
|
|
||||||
kpart_data) {
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
`kpart_data + some_unsigned_values` can obviously never be `> kpart_data`,
|
|
||||||
unless something has overflowed! And `vmlinuz_header_offset` hasn't even
|
|
||||||
been set yet (besides being initialized to zero)!
|
|
||||||
|
|
||||||
GCC will deduce that if the check didn't cause the function to bail, then
|
|
||||||
vmlinuz_header_size (a uint32_t) must be "negative"; that is: in the range
|
|
||||||
[2GiB,4GiB).
|
|
||||||
|
|
||||||
On platforms where size_t is 32-bits, this is *especially* broken.
|
|
||||||
memcpy's size argument must be in the range [0,2GiB). Because GCC has
|
|
||||||
proved that vmlinuz_header_size is higher than that, it will fail to
|
|
||||||
compile:
|
|
||||||
|
|
||||||
host/lib/extract_vmlinuz.c:67:9: error: 'memcpy' specified bound between 2147483648 and 4294967295 exceeds maximum object size 2147483647 [-Werror=stringop-overflow=]
|
|
||||||
|
|
||||||
So, fix the check.
|
|
||||||
|
|
||||||
I can now say that what I suspect the original author meant to write would
|
|
||||||
be the following patch, if `vmlinuz_header_offset` were already set:
|
|
||||||
|
|
||||||
-kpart_data + vmlinuz_header_offset + vmlinuz_header_size > kpart_data
|
|
||||||
+now + vmlinuz_header_offset + vmlinuz_header_size > kpart_size
|
|
||||||
|
|
||||||
This hypothesis is supported by `now` not getting incremented by
|
|
||||||
`kblob_size` the way it is for the keyblock and preamble sizes.
|
|
||||||
|
|
||||||
However, we can also see that even this "corrected" bounds check is
|
|
||||||
insufficient: it does not detect the vmlinuz_header overflowing into
|
|
||||||
kblob_data.
|
|
||||||
|
|
||||||
OK, so let's describe the fix:
|
|
||||||
|
|
||||||
Have a `*vmlinuz_header` pointer instead of a
|
|
||||||
`uint64_t vmlinuz_header_offset`, to be more similar to all the other
|
|
||||||
regions. With this change, the correct check becomes a simple
|
|
||||||
|
|
||||||
vmlinuz_header + vmlinuz_header_size > kblob_data
|
|
||||||
|
|
||||||
While we're at it, make some changes that could have helped avoid this in
|
|
||||||
the first place:
|
|
||||||
|
|
||||||
- Add comments.
|
|
||||||
- Calculate the vmlinuz_header offset right away, instead of waiting.
|
|
||||||
- Go ahead and increment `now` by `kblob_size`, to increase regularity.
|
|
||||||
|
|
||||||
Change-Id: I5c03e49070b6dd2e04459566ef7dd129d27736e4
|
|
||||||
---
|
|
||||||
host/lib/extract_vmlinuz.c | 72 +++++++++++++++++++++++++++-----------
|
|
||||||
1 file changed, 51 insertions(+), 21 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/host/lib/extract_vmlinuz.c b/host/lib/extract_vmlinuz.c
|
|
||||||
index 4ccfcf33..d2c09443 100644
|
|
||||||
--- a/host/lib/extract_vmlinuz.c
|
|
||||||
+++ b/host/lib/extract_vmlinuz.c
|
|
||||||
@@ -15,16 +15,44 @@
|
|
||||||
|
|
||||||
int ExtractVmlinuz(void *kpart_data, size_t kpart_size,
|
|
||||||
void **vmlinuz_out, size_t *vmlinuz_size) {
|
|
||||||
+ // We're going to be extracting `vmlinuz_header` and
|
|
||||||
+ // `kblob_data`, and returning the concatenation of them.
|
|
||||||
+ //
|
|
||||||
+ // kpart_data = +-[kpart_size]------------------------------------+
|
|
||||||
+ // | |
|
|
||||||
+ // keyblock = | +-[keyblock->keyblock_size]-------------------+ |
|
|
||||||
+ // | | struct vb2_keyblock keyblock | |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | +---------------------------------------------+ |
|
|
||||||
+ // | |
|
|
||||||
+ // preamble = | +-[preamble->preamble_size]-------------------+ |
|
|
||||||
+ // | | struct vb2_kernel_preamble preamble | |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | | char [] vmlinuz_header | |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | +---------------------------------------------+ |
|
|
||||||
+ // | |
|
|
||||||
+ // kblob_data= | +-[preamble->body_signature.data_size]--------+ |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | +---------------------------------------------+ |
|
|
||||||
+ // | |
|
|
||||||
+ // +-------------------------------------------------+
|
|
||||||
+
|
|
||||||
size_t now = 0;
|
|
||||||
+ // The 3 sections of kpart_data.
|
|
||||||
+ struct vb2_keyblock *keyblock = NULL;
|
|
||||||
struct vb2_kernel_preamble *preamble = NULL;
|
|
||||||
uint8_t *kblob_data = NULL;
|
|
||||||
uint32_t kblob_size = 0;
|
|
||||||
+ // vmlinuz_header
|
|
||||||
+ uint8_t *vmlinuz_header = NULL;
|
|
||||||
uint32_t vmlinuz_header_size = 0;
|
|
||||||
- uint64_t vmlinuz_header_address = 0;
|
|
||||||
- uint64_t vmlinuz_header_offset = 0;
|
|
||||||
+ // The concatenated result.
|
|
||||||
void *vmlinuz = NULL;
|
|
||||||
|
|
||||||
- struct vb2_keyblock *keyblock = (struct vb2_keyblock *)kpart_data;
|
|
||||||
+ // Isolate the 3 sections of kpart_data.
|
|
||||||
+
|
|
||||||
+ keyblock = (struct vb2_keyblock *)kpart_data;
|
|
||||||
now += keyblock->keyblock_size;
|
|
||||||
if (now > kpart_size)
|
|
||||||
return 1;
|
|
||||||
@@ -36,37 +64,39 @@ int ExtractVmlinuz(void *kpart_data, size_t kpart_size,
|
|
||||||
|
|
||||||
kblob_data = kpart_data + now;
|
|
||||||
kblob_size = preamble->body_signature.data_size;
|
|
||||||
-
|
|
||||||
- if (!kblob_data || (now + kblob_size) > kpart_size)
|
|
||||||
+ now += kblob_size;
|
|
||||||
+ if (now > kpart_size)
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
+ // Find `vmlinuz_header` within `preamble`.
|
|
||||||
+
|
|
||||||
if (preamble->header_version_minor > 0) {
|
|
||||||
- vmlinuz_header_address = preamble->vmlinuz_header_address;
|
|
||||||
+ // calculate the vmlinuz_header offset from
|
|
||||||
+ // the beginning of the kpart_data. The kblob doesn't
|
|
||||||
+ // include the body_load_offset, but does include
|
|
||||||
+ // the keyblock and preamble sections.
|
|
||||||
+ size_t vmlinuz_header_offset =
|
|
||||||
+ preamble->vmlinuz_header_address -
|
|
||||||
+ preamble->body_load_address +
|
|
||||||
+ keyblock->keyblock_size +
|
|
||||||
+ preamble->preamble_size;
|
|
||||||
+
|
|
||||||
+ vmlinuz_header = kpart_data + vmlinuz_header_offset;
|
|
||||||
vmlinuz_header_size = preamble->vmlinuz_header_size;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!vmlinuz_header_size ||
|
|
||||||
- kpart_data + vmlinuz_header_offset + vmlinuz_header_size >
|
|
||||||
- kpart_data) {
|
|
||||||
+ if (!vmlinuz_header ||
|
|
||||||
+ !vmlinuz_header_size ||
|
|
||||||
+ vmlinuz_header + vmlinuz_header_size > kblob_data) {
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- // calculate the vmlinuz_header offset from
|
|
||||||
- // the beginning of the kpart_data. The kblob doesn't
|
|
||||||
- // include the body_load_offset, but does include
|
|
||||||
- // the keyblock and preamble sections.
|
|
||||||
- vmlinuz_header_offset = vmlinuz_header_address -
|
|
||||||
- preamble->body_load_address +
|
|
||||||
- keyblock->keyblock_size +
|
|
||||||
- preamble->preamble_size;
|
|
||||||
+ // Concatenate and return.
|
|
||||||
|
|
||||||
vmlinuz = malloc(vmlinuz_header_size + kblob_size);
|
|
||||||
if (vmlinuz == NULL)
|
|
||||||
return 1;
|
|
||||||
-
|
|
||||||
- memcpy(vmlinuz, kpart_data + vmlinuz_header_offset,
|
|
||||||
- vmlinuz_header_size);
|
|
||||||
-
|
|
||||||
+ memcpy(vmlinuz, vmlinuz_header, vmlinuz_header_size);
|
|
||||||
memcpy(vmlinuz + vmlinuz_header_size, kblob_data, kblob_size);
|
|
||||||
|
|
||||||
*vmlinuz_out = vmlinuz;
|
|
||||||
--
|
|
||||||
2.45.1
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
3rdparty/vboot
|
|
|
@ -1,3 +0,0 @@
|
||||||
subrepo="https://review.coreboot.org/vboot.git"
|
|
||||||
subrepo_bkup="https://github.com/coreboot/vboot"
|
|
||||||
subhash="ecdca931ae0637d1a9498f64862939bd5bb99e0b"
|
|
|
@ -1,178 +0,0 @@
|
||||||
From 195f61375aeec9eec16604ec59f6eda2e6058cc1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Luke T. Shumaker" <lukeshu@lukeshu.com>
|
|
||||||
Date: Thu, 30 May 2024 14:08:33 -0600
|
|
||||||
Subject: [PATCH 1/1] extract_vmlinuz.c: Fix the bounds check on
|
|
||||||
vmlinuz_header_{offset,size}
|
|
||||||
|
|
||||||
The check on vmlinuz_header_offset and vmlinuz_header_size is obviously
|
|
||||||
wrong:
|
|
||||||
|
|
||||||
if (!vmlinuz_header_size ||
|
|
||||||
kpart_data + vmlinuz_header_offset + vmlinuz_header_size >
|
|
||||||
kpart_data) {
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
`kpart_data + some_unsigned_values` can obviously never be `> kpart_data`,
|
|
||||||
unless something has overflowed! And `vmlinuz_header_offset` hasn't even
|
|
||||||
been set yet (besides being initialized to zero)!
|
|
||||||
|
|
||||||
GCC will deduce that if the check didn't cause the function to bail, then
|
|
||||||
vmlinuz_header_size (a uint32_t) must be "negative"; that is: in the range
|
|
||||||
[2GiB,4GiB).
|
|
||||||
|
|
||||||
On platforms where size_t is 32-bits, this is *especially* broken.
|
|
||||||
memcpy's size argument must be in the range [0,2GiB). Because GCC has
|
|
||||||
proved that vmlinuz_header_size is higher than that, it will fail to
|
|
||||||
compile:
|
|
||||||
|
|
||||||
host/lib/extract_vmlinuz.c:67:9: error: 'memcpy' specified bound between 2147483648 and 4294967295 exceeds maximum object size 2147483647 [-Werror=stringop-overflow=]
|
|
||||||
|
|
||||||
So, fix the check.
|
|
||||||
|
|
||||||
I can now say that what I suspect the original author meant to write would
|
|
||||||
be the following patch, if `vmlinuz_header_offset` were already set:
|
|
||||||
|
|
||||||
-kpart_data + vmlinuz_header_offset + vmlinuz_header_size > kpart_data
|
|
||||||
+now + vmlinuz_header_offset + vmlinuz_header_size > kpart_size
|
|
||||||
|
|
||||||
This hypothesis is supported by `now` not getting incremented by
|
|
||||||
`kblob_size` the way it is for the keyblock and preamble sizes.
|
|
||||||
|
|
||||||
However, we can also see that even this "corrected" bounds check is
|
|
||||||
insufficient: it does not detect the vmlinuz_header overflowing into
|
|
||||||
kblob_data.
|
|
||||||
|
|
||||||
OK, so let's describe the fix:
|
|
||||||
|
|
||||||
Have a `*vmlinuz_header` pointer instead of a
|
|
||||||
`uint64_t vmlinuz_header_offset`, to be more similar to all the other
|
|
||||||
regions. With this change, the correct check becomes a simple
|
|
||||||
|
|
||||||
vmlinuz_header + vmlinuz_header_size > kblob_data
|
|
||||||
|
|
||||||
While we're at it, make some changes that could have helped avoid this in
|
|
||||||
the first place:
|
|
||||||
|
|
||||||
- Add comments.
|
|
||||||
- Calculate the vmlinuz_header offset right away, instead of waiting.
|
|
||||||
- Go ahead and increment `now` by `kblob_size`, to increase regularity.
|
|
||||||
|
|
||||||
Change-Id: I5c03e49070b6dd2e04459566ef7dd129d27736e4
|
|
||||||
---
|
|
||||||
host/lib/extract_vmlinuz.c | 72 +++++++++++++++++++++++++++-----------
|
|
||||||
1 file changed, 51 insertions(+), 21 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/host/lib/extract_vmlinuz.c b/host/lib/extract_vmlinuz.c
|
|
||||||
index 4ccfcf33..d2c09443 100644
|
|
||||||
--- a/host/lib/extract_vmlinuz.c
|
|
||||||
+++ b/host/lib/extract_vmlinuz.c
|
|
||||||
@@ -15,16 +15,44 @@
|
|
||||||
|
|
||||||
int ExtractVmlinuz(void *kpart_data, size_t kpart_size,
|
|
||||||
void **vmlinuz_out, size_t *vmlinuz_size) {
|
|
||||||
+ // We're going to be extracting `vmlinuz_header` and
|
|
||||||
+ // `kblob_data`, and returning the concatenation of them.
|
|
||||||
+ //
|
|
||||||
+ // kpart_data = +-[kpart_size]------------------------------------+
|
|
||||||
+ // | |
|
|
||||||
+ // keyblock = | +-[keyblock->keyblock_size]-------------------+ |
|
|
||||||
+ // | | struct vb2_keyblock keyblock | |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | +---------------------------------------------+ |
|
|
||||||
+ // | |
|
|
||||||
+ // preamble = | +-[preamble->preamble_size]-------------------+ |
|
|
||||||
+ // | | struct vb2_kernel_preamble preamble | |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | | char [] vmlinuz_header | |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | +---------------------------------------------+ |
|
|
||||||
+ // | |
|
|
||||||
+ // kblob_data= | +-[preamble->body_signature.data_size]--------+ |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | +---------------------------------------------+ |
|
|
||||||
+ // | |
|
|
||||||
+ // +-------------------------------------------------+
|
|
||||||
+
|
|
||||||
size_t now = 0;
|
|
||||||
+ // The 3 sections of kpart_data.
|
|
||||||
+ struct vb2_keyblock *keyblock = NULL;
|
|
||||||
struct vb2_kernel_preamble *preamble = NULL;
|
|
||||||
uint8_t *kblob_data = NULL;
|
|
||||||
uint32_t kblob_size = 0;
|
|
||||||
+ // vmlinuz_header
|
|
||||||
+ uint8_t *vmlinuz_header = NULL;
|
|
||||||
uint32_t vmlinuz_header_size = 0;
|
|
||||||
- uint64_t vmlinuz_header_address = 0;
|
|
||||||
- uint64_t vmlinuz_header_offset = 0;
|
|
||||||
+ // The concatenated result.
|
|
||||||
void *vmlinuz = NULL;
|
|
||||||
|
|
||||||
- struct vb2_keyblock *keyblock = (struct vb2_keyblock *)kpart_data;
|
|
||||||
+ // Isolate the 3 sections of kpart_data.
|
|
||||||
+
|
|
||||||
+ keyblock = (struct vb2_keyblock *)kpart_data;
|
|
||||||
now += keyblock->keyblock_size;
|
|
||||||
if (now > kpart_size)
|
|
||||||
return 1;
|
|
||||||
@@ -36,37 +64,39 @@ int ExtractVmlinuz(void *kpart_data, size_t kpart_size,
|
|
||||||
|
|
||||||
kblob_data = kpart_data + now;
|
|
||||||
kblob_size = preamble->body_signature.data_size;
|
|
||||||
-
|
|
||||||
- if (!kblob_data || (now + kblob_size) > kpart_size)
|
|
||||||
+ now += kblob_size;
|
|
||||||
+ if (now > kpart_size)
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
+ // Find `vmlinuz_header` within `preamble`.
|
|
||||||
+
|
|
||||||
if (preamble->header_version_minor > 0) {
|
|
||||||
- vmlinuz_header_address = preamble->vmlinuz_header_address;
|
|
||||||
+ // calculate the vmlinuz_header offset from
|
|
||||||
+ // the beginning of the kpart_data. The kblob doesn't
|
|
||||||
+ // include the body_load_offset, but does include
|
|
||||||
+ // the keyblock and preamble sections.
|
|
||||||
+ size_t vmlinuz_header_offset =
|
|
||||||
+ preamble->vmlinuz_header_address -
|
|
||||||
+ preamble->body_load_address +
|
|
||||||
+ keyblock->keyblock_size +
|
|
||||||
+ preamble->preamble_size;
|
|
||||||
+
|
|
||||||
+ vmlinuz_header = kpart_data + vmlinuz_header_offset;
|
|
||||||
vmlinuz_header_size = preamble->vmlinuz_header_size;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!vmlinuz_header_size ||
|
|
||||||
- kpart_data + vmlinuz_header_offset + vmlinuz_header_size >
|
|
||||||
- kpart_data) {
|
|
||||||
+ if (!vmlinuz_header ||
|
|
||||||
+ !vmlinuz_header_size ||
|
|
||||||
+ vmlinuz_header + vmlinuz_header_size > kblob_data) {
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- // calculate the vmlinuz_header offset from
|
|
||||||
- // the beginning of the kpart_data. The kblob doesn't
|
|
||||||
- // include the body_load_offset, but does include
|
|
||||||
- // the keyblock and preamble sections.
|
|
||||||
- vmlinuz_header_offset = vmlinuz_header_address -
|
|
||||||
- preamble->body_load_address +
|
|
||||||
- keyblock->keyblock_size +
|
|
||||||
- preamble->preamble_size;
|
|
||||||
+ // Concatenate and return.
|
|
||||||
|
|
||||||
vmlinuz = malloc(vmlinuz_header_size + kblob_size);
|
|
||||||
if (vmlinuz == NULL)
|
|
||||||
return 1;
|
|
||||||
-
|
|
||||||
- memcpy(vmlinuz, kpart_data + vmlinuz_header_offset,
|
|
||||||
- vmlinuz_header_size);
|
|
||||||
-
|
|
||||||
+ memcpy(vmlinuz, vmlinuz_header, vmlinuz_header_size);
|
|
||||||
memcpy(vmlinuz + vmlinuz_header_size, kblob_data, kblob_size);
|
|
||||||
|
|
||||||
*vmlinuz_out = vmlinuz;
|
|
||||||
--
|
|
||||||
2.45.1
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.mirrorservice.org/sites/libreboot.org/release/misc/acpica/R10_20_22.tar.gz"
|
|
||||||
subfile_bkup="https://mirror.math.princeton.edu/pub/libreboot/misc/acpica/R10_20_22.tar.gz"
|
|
||||||
subhash="2ea1892383dfeae4b0fa089bb68aa397af644775496ce2a2f8f6ac7ebbb13de499c00ddb2608f427354f8e6f6e6d26cdeb162a7061458f8e6181fb2633e7c43e"
|
|
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.mirrorservice.org/sites/ftp.gnu.org/gnu/binutils/binutils-2.37.tar.xz"
|
|
||||||
subfile_bkup="https://ftp.nluug.nl/pub/gnu/binutils/binutils-2.37.tar.xz"
|
|
||||||
subhash="5c11aeef6935860a6819ed3a3c93371f052e52b4bdc5033da36037c1544d013b7f12cb8d561ec954fe7469a68f1b66f1a3cd53d5a3af7293635a90d69edd15e7"
|
|
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.mirrorservice.org/sites/ftp.gnu.org/gnu/gcc/gcc-11.2.0/gcc-11.2.0.tar.xz"
|
|
||||||
subfile_bkup="https://ftp.nluug.nl/pub/gnu/gcc/gcc-11.2.0/gcc-11.2.0.tar.xz"
|
|
||||||
subhash="d53a0a966230895c54f01aea38696f818817b505f1e2bfa65e508753fcd01b2aedb4a61434f41f3a2ddbbd9f41384b96153c684ded3f0fa97c82758d9de5c7cf"
|
|
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.mirrorservice.org/sites/ftp.gnu.org/gnu/gmp/gmp-6.2.1.tar.xz"
|
|
||||||
subfile_bkup="https://ftp.nluug.nl/pub/gnu/gmp/gmp-6.2.1.tar.xz"
|
|
||||||
subhash="c99be0950a1d05a0297d65641dd35b75b74466f7bf03c9e8a99895a3b2f9a0856cd17887738fa51cf7499781b65c049769271cbcb77d057d2e9f1ec52e07dd84"
|
|
|
@ -1,3 +0,0 @@
|
||||||
subrepo="https://review.coreboot.org/libgfxinit.git"
|
|
||||||
subrepo_bkup="https://github.com/coreboot/libgfxinit"
|
|
||||||
subhash="066e52eeaa329d782ccee96265a6a351fc395bf1"
|
|
|
@ -1,3 +0,0 @@
|
||||||
subrepo="https://review.coreboot.org/libhwbase.git"
|
|
||||||
subrepo_bkup="https://github.com/coreboot/libhwbase"
|
|
||||||
subhash="8be5a82b85ceb3ee8a1c4fbf36c75a4bfbda8900"
|
|
|
@ -1,10 +0,0 @@
|
||||||
3rdparty/libgfxinit
|
|
||||||
3rdparty/libhwbase
|
|
||||||
3rdparty/vboot
|
|
||||||
util/crossgcc/tarballs/binutils-2.37.tar.xz
|
|
||||||
util/crossgcc/tarballs/gcc-11.2.0.tar.xz
|
|
||||||
util/crossgcc/tarballs/gmp-6.2.1.tar.xz
|
|
||||||
util/crossgcc/tarballs/mpc-1.3.1.tar.gz
|
|
||||||
util/crossgcc/tarballs/mpfr-4.2.0.tar.xz
|
|
||||||
util/crossgcc/tarballs/nasm-2.15.05.tar.bz2
|
|
||||||
util/crossgcc/tarballs/R10_20_22.tar.gz
|
|
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.mirrorservice.org/sites/ftp.gnu.org/gnu/mpc/mpc-1.3.1.tar.gz"
|
|
||||||
subfile_bkup="https://ftp.nluug.nl/pub/gnu/mpc/mpc-1.3.1.tar.gz"
|
|
||||||
subhash="4bab4ef6076f8c5dfdc99d810b51108ced61ea2942ba0c1c932d624360a5473df20d32b300fc76f2ba4aa2a97e1f275c9fd494a1ba9f07c4cb2ad7ceaeb1ae97"
|
|
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.mirrorservice.org/sites/ftp.gnu.org/gnu/mpfr/mpfr-4.2.0.tar.xz"
|
|
||||||
subfile_bkup="https://ftp.nluug.nl/pub/gnu/mpfr/mpfr-4.2.0.tar.xz"
|
|
||||||
subhash="58e843125884ca58837ae5159cd4092af09e8f21931a2efd19c15de057c9d1dc0753ae95c592e2ce59a727fbc491af776db8b00a055320413cdcf2033b90505c"
|
|
|
@ -1,3 +0,0 @@
|
||||||
subfile="https://www.nasm.us/pub/nasm/releasebuilds/2.15.05/nasm-2.15.05.tar.bz2"
|
|
||||||
subfile_bkup="https://coreboot.org/releases/crossgcc-sources/nasm-2.15.05.tar.bz2"
|
|
||||||
subhash="e608222eea4970249f0ee1638207b3368fb43b87117cfdb2788b2c7fd6e221f567ee8dd9b910f9e0c4837dc4866606cd9baf5c3266b81188037059b79635ea79"
|
|
|
@ -1,3 +0,0 @@
|
||||||
subrepo="https://review.coreboot.org/vboot.git"
|
|
||||||
subrepo_bkup="https://github.com/coreboot/vboot"
|
|
||||||
subhash="5b8596cefd1a61252501943f2534323708338732"
|
|
|
@ -1,178 +0,0 @@
|
||||||
From 195f61375aeec9eec16604ec59f6eda2e6058cc1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Luke T. Shumaker" <lukeshu@lukeshu.com>
|
|
||||||
Date: Thu, 30 May 2024 14:08:33 -0600
|
|
||||||
Subject: [PATCH 1/1] extract_vmlinuz.c: Fix the bounds check on
|
|
||||||
vmlinuz_header_{offset,size}
|
|
||||||
|
|
||||||
The check on vmlinuz_header_offset and vmlinuz_header_size is obviously
|
|
||||||
wrong:
|
|
||||||
|
|
||||||
if (!vmlinuz_header_size ||
|
|
||||||
kpart_data + vmlinuz_header_offset + vmlinuz_header_size >
|
|
||||||
kpart_data) {
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
`kpart_data + some_unsigned_values` can obviously never be `> kpart_data`,
|
|
||||||
unless something has overflowed! And `vmlinuz_header_offset` hasn't even
|
|
||||||
been set yet (besides being initialized to zero)!
|
|
||||||
|
|
||||||
GCC will deduce that if the check didn't cause the function to bail, then
|
|
||||||
vmlinuz_header_size (a uint32_t) must be "negative"; that is: in the range
|
|
||||||
[2GiB,4GiB).
|
|
||||||
|
|
||||||
On platforms where size_t is 32-bits, this is *especially* broken.
|
|
||||||
memcpy's size argument must be in the range [0,2GiB). Because GCC has
|
|
||||||
proved that vmlinuz_header_size is higher than that, it will fail to
|
|
||||||
compile:
|
|
||||||
|
|
||||||
host/lib/extract_vmlinuz.c:67:9: error: 'memcpy' specified bound between 2147483648 and 4294967295 exceeds maximum object size 2147483647 [-Werror=stringop-overflow=]
|
|
||||||
|
|
||||||
So, fix the check.
|
|
||||||
|
|
||||||
I can now say that what I suspect the original author meant to write would
|
|
||||||
be the following patch, if `vmlinuz_header_offset` were already set:
|
|
||||||
|
|
||||||
-kpart_data + vmlinuz_header_offset + vmlinuz_header_size > kpart_data
|
|
||||||
+now + vmlinuz_header_offset + vmlinuz_header_size > kpart_size
|
|
||||||
|
|
||||||
This hypothesis is supported by `now` not getting incremented by
|
|
||||||
`kblob_size` the way it is for the keyblock and preamble sizes.
|
|
||||||
|
|
||||||
However, we can also see that even this "corrected" bounds check is
|
|
||||||
insufficient: it does not detect the vmlinuz_header overflowing into
|
|
||||||
kblob_data.
|
|
||||||
|
|
||||||
OK, so let's describe the fix:
|
|
||||||
|
|
||||||
Have a `*vmlinuz_header` pointer instead of a
|
|
||||||
`uint64_t vmlinuz_header_offset`, to be more similar to all the other
|
|
||||||
regions. With this change, the correct check becomes a simple
|
|
||||||
|
|
||||||
vmlinuz_header + vmlinuz_header_size > kblob_data
|
|
||||||
|
|
||||||
While we're at it, make some changes that could have helped avoid this in
|
|
||||||
the first place:
|
|
||||||
|
|
||||||
- Add comments.
|
|
||||||
- Calculate the vmlinuz_header offset right away, instead of waiting.
|
|
||||||
- Go ahead and increment `now` by `kblob_size`, to increase regularity.
|
|
||||||
|
|
||||||
Change-Id: I5c03e49070b6dd2e04459566ef7dd129d27736e4
|
|
||||||
---
|
|
||||||
host/lib/extract_vmlinuz.c | 72 +++++++++++++++++++++++++++-----------
|
|
||||||
1 file changed, 51 insertions(+), 21 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/host/lib/extract_vmlinuz.c b/host/lib/extract_vmlinuz.c
|
|
||||||
index 4ccfcf33..d2c09443 100644
|
|
||||||
--- a/host/lib/extract_vmlinuz.c
|
|
||||||
+++ b/host/lib/extract_vmlinuz.c
|
|
||||||
@@ -15,16 +15,44 @@
|
|
||||||
|
|
||||||
int ExtractVmlinuz(void *kpart_data, size_t kpart_size,
|
|
||||||
void **vmlinuz_out, size_t *vmlinuz_size) {
|
|
||||||
+ // We're going to be extracting `vmlinuz_header` and
|
|
||||||
+ // `kblob_data`, and returning the concatenation of them.
|
|
||||||
+ //
|
|
||||||
+ // kpart_data = +-[kpart_size]------------------------------------+
|
|
||||||
+ // | |
|
|
||||||
+ // keyblock = | +-[keyblock->keyblock_size]-------------------+ |
|
|
||||||
+ // | | struct vb2_keyblock keyblock | |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | +---------------------------------------------+ |
|
|
||||||
+ // | |
|
|
||||||
+ // preamble = | +-[preamble->preamble_size]-------------------+ |
|
|
||||||
+ // | | struct vb2_kernel_preamble preamble | |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | | char [] vmlinuz_header | |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | +---------------------------------------------+ |
|
|
||||||
+ // | |
|
|
||||||
+ // kblob_data= | +-[preamble->body_signature.data_size]--------+ |
|
|
||||||
+ // | | char [] ...data... | |
|
|
||||||
+ // | +---------------------------------------------+ |
|
|
||||||
+ // | |
|
|
||||||
+ // +-------------------------------------------------+
|
|
||||||
+
|
|
||||||
size_t now = 0;
|
|
||||||
+ // The 3 sections of kpart_data.
|
|
||||||
+ struct vb2_keyblock *keyblock = NULL;
|
|
||||||
struct vb2_kernel_preamble *preamble = NULL;
|
|
||||||
uint8_t *kblob_data = NULL;
|
|
||||||
uint32_t kblob_size = 0;
|
|
||||||
+ // vmlinuz_header
|
|
||||||
+ uint8_t *vmlinuz_header = NULL;
|
|
||||||
uint32_t vmlinuz_header_size = 0;
|
|
||||||
- uint64_t vmlinuz_header_address = 0;
|
|
||||||
- uint64_t vmlinuz_header_offset = 0;
|
|
||||||
+ // The concatenated result.
|
|
||||||
void *vmlinuz = NULL;
|
|
||||||
|
|
||||||
- struct vb2_keyblock *keyblock = (struct vb2_keyblock *)kpart_data;
|
|
||||||
+ // Isolate the 3 sections of kpart_data.
|
|
||||||
+
|
|
||||||
+ keyblock = (struct vb2_keyblock *)kpart_data;
|
|
||||||
now += keyblock->keyblock_size;
|
|
||||||
if (now > kpart_size)
|
|
||||||
return 1;
|
|
||||||
@@ -36,37 +64,39 @@ int ExtractVmlinuz(void *kpart_data, size_t kpart_size,
|
|
||||||
|
|
||||||
kblob_data = kpart_data + now;
|
|
||||||
kblob_size = preamble->body_signature.data_size;
|
|
||||||
-
|
|
||||||
- if (!kblob_data || (now + kblob_size) > kpart_size)
|
|
||||||
+ now += kblob_size;
|
|
||||||
+ if (now > kpart_size)
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
+ // Find `vmlinuz_header` within `preamble`.
|
|
||||||
+
|
|
||||||
if (preamble->header_version_minor > 0) {
|
|
||||||
- vmlinuz_header_address = preamble->vmlinuz_header_address;
|
|
||||||
+ // calculate the vmlinuz_header offset from
|
|
||||||
+ // the beginning of the kpart_data. The kblob doesn't
|
|
||||||
+ // include the body_load_offset, but does include
|
|
||||||
+ // the keyblock and preamble sections.
|
|
||||||
+ size_t vmlinuz_header_offset =
|
|
||||||
+ preamble->vmlinuz_header_address -
|
|
||||||
+ preamble->body_load_address +
|
|
||||||
+ keyblock->keyblock_size +
|
|
||||||
+ preamble->preamble_size;
|
|
||||||
+
|
|
||||||
+ vmlinuz_header = kpart_data + vmlinuz_header_offset;
|
|
||||||
vmlinuz_header_size = preamble->vmlinuz_header_size;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!vmlinuz_header_size ||
|
|
||||||
- kpart_data + vmlinuz_header_offset + vmlinuz_header_size >
|
|
||||||
- kpart_data) {
|
|
||||||
+ if (!vmlinuz_header ||
|
|
||||||
+ !vmlinuz_header_size ||
|
|
||||||
+ vmlinuz_header + vmlinuz_header_size > kblob_data) {
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- // calculate the vmlinuz_header offset from
|
|
||||||
- // the beginning of the kpart_data. The kblob doesn't
|
|
||||||
- // include the body_load_offset, but does include
|
|
||||||
- // the keyblock and preamble sections.
|
|
||||||
- vmlinuz_header_offset = vmlinuz_header_address -
|
|
||||||
- preamble->body_load_address +
|
|
||||||
- keyblock->keyblock_size +
|
|
||||||
- preamble->preamble_size;
|
|
||||||
+ // Concatenate and return.
|
|
||||||
|
|
||||||
vmlinuz = malloc(vmlinuz_header_size + kblob_size);
|
|
||||||
if (vmlinuz == NULL)
|
|
||||||
return 1;
|
|
||||||
-
|
|
||||||
- memcpy(vmlinuz, kpart_data + vmlinuz_header_offset,
|
|
||||||
- vmlinuz_header_size);
|
|
||||||
-
|
|
||||||
+ memcpy(vmlinuz, vmlinuz_header, vmlinuz_header_size);
|
|
||||||
memcpy(vmlinuz + vmlinuz_header_size, kblob_data, kblob_size);
|
|
||||||
|
|
||||||
*vmlinuz_out = vmlinuz;
|
|
||||||
--
|
|
||||||
2.45.1
|
|
||||||
|
|
Loading…
Reference in New Issue