diff options
| author | Suzuki K. Poulose <suzuki@in.ibm.com> | 2013-03-06 14:09:47 +0530 |
|---|---|---|
| committer | Simon Horman <horms@verge.net.au> | 2013-03-08 13:57:30 +0900 |
| commit | 90f7609a739d24faffab41422185b9f1a65573da (patch) | |
| tree | 51a3856d516d30c2b3250e49219d3a3dd3c47336 /kexec/add_buffer.c | |
| parent | 4255d2b07d231a3ff037fdf5aafa80e4f90c937d (diff) | |
kexec/uImage: Fix the payload length in uImage_load
For payloads without any compression, the image->len
is set to the length of the entire uImage which includes
the uImage header. This should be filled in from
ih_size field of the uImage header.
This can cause a buffer overflow, leading the sha256_process
to overrun the initrd buffer. Also, prevents a vulnerability
where the image has been appended with additional data. The
crc check is performed only when compiled with zlib.
TODO: Implement CRC check if ZLIB is not compiled in.
Reported-by: Nathan Miller <nathanm2@us.ibm.com>
Signed-off-by: Suzuki K. Poulose <suzuki@in.ibm.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Diffstat (limited to 'kexec/add_buffer.c')
0 files changed, 0 insertions, 0 deletions