From patchwork Tue Aug 28 22:51:14 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chris Packham <judge.packham@gmail.com>
X-Patchwork-Id: 963166
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.denx.de
	(client-ip=81.169.180.215; helo=lists.denx.de;
	envelope-from=u-boot-bounces@lists.denx.de;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="QAi8SiVp"; dkim-atps=neutral
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 420PBc5xLzz9s1x
	for <incoming@patchwork.ozlabs.org>;
	Wed, 29 Aug 2018 08:51:36 +1000 (AEST)
Received: by lists.denx.de (Postfix, from userid 105)
	id 10257C21DC1; Tue, 28 Aug 2018 22:51:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,
	T_DKIM_INVALID autolearn=unavailable
	autolearn_force=no version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id 22ECCC21C3F;
	Tue, 28 Aug 2018 22:51:28 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id ED2E1C21C3F; Tue, 28 Aug 2018 22:51:26 +0000 (UTC)
Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com
	[209.85.215.194])
	by lists.denx.de (Postfix) with ESMTPS id C5D13C21C27
	for <u-boot@lists.denx.de>; Tue, 28 Aug 2018 22:51:25 +0000 (UTC)
Received: by mail-pg1-f194.google.com with SMTP id 2-v6so886963pgo.4
	for <u-boot@lists.denx.de>; Tue, 28 Aug 2018 15:51:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=EPBsqDeKjJVqfZxyvGYvVzoWbxAW3oquf2OjjRlrKx4=;
	b=QAi8SiVpqLnrO/seZ1cWm30bgMrTIRWYGRM5ArgqJUfvSKyA7itCrH5Gc05RbDQq+4
	E6gZ7b7F8UhsgPn6U9gkF+jZKppKPKSEiYuyxuvf9DpyplXN7gThHlsHMnIJftmTH1Vk
	gJ8uNcAIh7+sJjfYud5UKbIradarDISIsjGKT8tVpK86/WpweOaUg9VQ3K8rvpxyvfQY
	B+B03RZMVuAJreE1ClVVXtnjZXV01Fd5UzdjjJ3itsT4dUoEfwoxgjCEAAlmD+gpQVba
	R7GdjGf4qzrz7r/M4Z7kkagS8FV0aBxRRPOVtYLSd43wPxTJz9hRXQJmmnRUpmDyiCA8
	Rh/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=EPBsqDeKjJVqfZxyvGYvVzoWbxAW3oquf2OjjRlrKx4=;
	b=V74C190Y91MiOigiZ+qZCPknOUFpGEox/VW59PvknZMa9rAA976Cnp1fM2Z1P9hjWL
	ZbQfe+Wnb78q/GxiP0ChfCL14sU83Kr4X9LCWJVF7bd2WBp3jsK+ix7LETekuccHYimg
	fcAMB03tenrJzX0YoaItXbK6Xoe0FYE0hDHx3TNR17L0bObRBB5MDlxy4vNPwOkdj+q+
	P+y8mkPtS20sDsZJTn1OQ55DZDJUCTRlxLHt8TyJiVVPDDEGN6Ggw0IflYD26EEV6MGd
	UVfjIf5IHPpcGCLvLo3HpUzqtGagGEw8H+utKZ0Mt1eUZ1xiJ0IVpbI9BPRHm//2Ba1z
	8hjw==
X-Gm-Message-State: APzg51BBLQUbmaEE3S1YiYEfMzmckuJ2d0yLrkWHMUNgw96rar37TrTx
	fcpKBORysOz0MEBvmC3gZ2ux9g0KOrw=
X-Google-Smtp-Source: 
 ANB0VdZ1zlfyaoPGUSPxQfghExClsqoTTIrW4H+5ld9gTjgRi9HbB/u6nXqxWGWKJgqF0BUtn5PuBw==
X-Received: by 2002:a63:ea49:: with SMTP id
	l9-v6mr3302578pgk.427.1535496684161;
	Tue, 28 Aug 2018 15:51:24 -0700 (PDT)
Received: from chrisp-dl.ws.atlnz.lc ([2001:df5:b000:22:3a2c:4aff:fe70:2b02])
	by smtp.gmail.com with ESMTPSA id
	p4-v6sm5366267pgs.75.2018.08.28.15.51.19
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 28 Aug 2018 15:51:23 -0700 (PDT)
From: Chris Packham <judge.packham@gmail.com>
To: u-boot@lists.denx.de
Date: Wed, 29 Aug 2018 10:51:14 +1200
Message-Id: <20180828225114.30005-1-judge.packham@gmail.com>
X-Mailer: git-send-email 2.18.0
In-Reply-To: 
 <CAFOYHZALWH2Y=9_hXKiOZq++1ns9=E51O1nOtErMMBnv624RCg@mail.gmail.com>
References: 
 <CAFOYHZALWH2Y=9_hXKiOZq++1ns9=E51O1nOtErMMBnv624RCg@mail.gmail.com>
Cc: Stefan Roese <sr@denx.de>, Michal Simek <michal.simek@xilinx.com>,
	Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>,
	Alexander Graf <agraf@suse.de>,
	Guillaume GARDET <guillaume.gardet@free.fr>,
	Chris Packham <judge.packham@gmail.com>
Subject: [U-Boot] [PATCH] tools: mkimage: Ensure munmap unmaps the same
	length that was mapped
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>

The set_header call in kwbimage.c adds a checksum to the end of the
image in addition to setting up the header. It 'helpfully' updates the
st_size to match the fact that the file is now longer. However, mkimage
uses this length in the munmap call. This can lead to unmapping an extra
page, of perhaps required data. When this happens, a SEGV can occur.

To prevent this from happening, the munmap call now uses the same length
that was passed to mmap. This could also have been fixed by not changing
the length in kwbimage.c, however changing it in the main file means
that other plugins will also not fall for the same trap.

Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Signed-off-by: Chris Packham <judge.packham@gmail.com>
[cp: resolve checkpatch complaints]
Tested-by: Chris Packham <judge.packham@gmail.com>
---

 tools/mkimage.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tools/mkimage.c b/tools/mkimage.c
index e0d4d20be499..6abd4d6a8b22 100644
--- a/tools/mkimage.c
+++ b/tools/mkimage.c
@@ -318,6 +318,7 @@ int main(int argc, char **argv)
 	struct image_type_params *tparams = NULL;
 	int pad_len = 0;
 	int dfd;
+	size_t map_len;
 
 	params.cmdname = *argv;
 	params.addr = 0;
@@ -576,7 +577,8 @@ int main(int argc, char **argv)
 	}
 	params.file_size = sbuf.st_size;
 
-	ptr = mmap(0, sbuf.st_size, PROT_READ|PROT_WRITE, MAP_SHARED, ifd, 0);
+	map_len = sbuf.st_size;
+	ptr = mmap(0, map_len, PROT_READ | PROT_WRITE, MAP_SHARED, ifd, 0);
 	if (ptr == MAP_FAILED) {
 		fprintf (stderr, "%s: Can't map %s: %s\n",
 			params.cmdname, params.imagefile, strerror(errno));
@@ -600,7 +602,7 @@ int main(int argc, char **argv)
 			params.cmdname, tparams->name);
 	}
 
-	(void) munmap((void *)ptr, sbuf.st_size);
+	(void)munmap((void *)ptr, map_len);
 
 	/* We're a bit of paranoid */
 #if defined(_POSIX_SYNCHRONIZED_IO) && \