diff options
| author | John Stultz <john.stultz@linaro.org> | 2018-12-19 20:04:02 -0800 |
|---|---|---|
| committer | John Stultz <john.stultz@linaro.org> | 2018-12-19 20:36:54 -0800 |
| commit | 97586c62d421231c4213cd8d7ea0fbb7005c3ed3 (patch) | |
| tree | e49292284b5bc17246927451170287c7d0c728b4 | |
| parent | 370cde2b5c9aea6eb9f87fee5e669bd834f03ed6 (diff) | |
| download | edk2-97586c62d421231c4213cd8d7ea0fbb7005c3ed3.tar.gz | |
EmbeddedPkg/AndroidFastboot: Fix overflow in Offset calculations
After noticing filesystem corruption on disk images after they
had been flashed to a board, regardless of kernel, I dug in and
found the fastboot sparse file handling was seeing overflows
of the Offset value.
Initially this was confusing as the Offset value is a UINTN,
so should be 64bits.
However, when flashing large images, fastboot will break the
sparse image up into separate segments.
After the first segment is sent, it prefixes the second segment
with a DONTCARE chunk (which skips writing to the disk and moves
Offset forward). Unfortunately, the ChunkSize is defined as
a 32bit count of BlockSize (usually 4k) blocks.
So when the Offset in a previous segment grows beyond 32bits,
the following segment is prefixed with a DONTCARE chunk where
the ChunkSize*BlockSize should be equal to the preivous Offset
value.
Unfortunately, the calculations were done such that it
multiplied two UINT32 values without casting to a UINTN first,
resulting in the multiplicaiton overflowing and losing the high
bits.
This resulted in data being incorrectly written over the lower
32bit range of the partition.
Thus, this patch fixes the issue by casting the ChunkSize to
a UINTN before doing the multiplication and avoiding the
overflow
Signed-off-by: John Stultz <john.stultz@linaro.org>
| -rw-r--r-- | EmbeddedPkg/Application/AndroidFastboot/AndroidFastbootApp.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/EmbeddedPkg/Application/AndroidFastboot/AndroidFastbootApp.c b/EmbeddedPkg/Application/AndroidFastboot/AndroidFastbootApp.c index 9074c6c77..854157161 100644 --- a/EmbeddedPkg/Application/AndroidFastboot/AndroidFastbootApp.c +++ b/EmbeddedPkg/Application/AndroidFastboot/AndroidFastbootApp.c @@ -227,11 +227,11 @@ FlashSparseImage ( if (EFI_ERROR (Status)) {
return Status;
}
- Image += ChunkHeader->ChunkSize * SparseHeader->BlockSize;
- Offset += ChunkHeader->ChunkSize * SparseHeader->BlockSize;
+ Image += (UINTN)ChunkHeader->ChunkSize * SparseHeader->BlockSize;
+ Offset += (UINTN)ChunkHeader->ChunkSize * SparseHeader->BlockSize;
break;
case CHUNK_TYPE_FILL:
- Left = ChunkHeader->ChunkSize * SparseHeader->BlockSize;
+ Left = (UINTN)ChunkHeader->ChunkSize * SparseHeader->BlockSize;
while (Left > 0) {
if (Left > FILL_BUF_SIZE) {
Count = FILL_BUF_SIZE;
@@ -254,7 +254,7 @@ FlashSparseImage ( Image += sizeof (UINT32);
break;
case CHUNK_TYPE_DONT_CARE:
- Offset += ChunkHeader->ChunkSize * SparseHeader->BlockSize;
+ Offset += (UINTN)ChunkHeader->ChunkSize * SparseHeader->BlockSize;
break;
default:
UnicodeSPrint (
|