kexec/uImage: Fix the payload length in uImage_load

For payloads without any compression, the image->len
is set to the length of the entire uImage which includes
the uImage header. This should be filled in from
ih_size field of the uImage header.

This can cause a buffer overflow, leading the sha256_process
to overrun the initrd buffer. Also, prevents a vulnerability
where the image has been appended with additional data. The
crc check is performed only when compiled with zlib.

TODO: Implement CRC check if ZLIB is not compiled in.

Reported-by: Nathan Miller <nathanm2@us.ibm.com>

Signed-off-by: Suzuki K. Poulose <suzuki@in.ibm.com>
Signed-off-by: Simon Horman <horms@verge.net.au>

0 files changed, 0 insertions, 0 deletions