<feed xmlns='http://www.w3.org/2005/Atom'>
<title>u-boot.git/boot/bootm.c, branch main</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.</subtitle>
<id>http://cgit.235523.xyz/u-boot.git/atom/boot/bootm.c?h=main</id>
<link rel='self' href='http://cgit.235523.xyz/u-boot.git/atom/boot/bootm.c?h=main'/>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/'/>
<updated>2026-07-03T16:13:14Z</updated>
<entry>
<title>Merge patch series "bootm: fix flush_cache() with IH_TYPE_KERNEL_NOLOAD"</title>
<updated>2026-07-03T16:13:14Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-07-03T16:13:14Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=683161607af99a12de83eb5702d1f2662a107ac1'/>
<id>urn:sha1:683161607af99a12de83eb5702d1f2662a107ac1</id>
<content type='text'>
This patch series from Nora Schiffer &lt;nora.schiffer@ew.tq-group.com&gt;
addresses a few issues with correctly handling IH_TYPE_KERNEL_NOLOAD in
a few cases.

Link: https://lore.kernel.org/r/20260622111933.1488593-1-nora.schiffer@ew.tq-group.com
</content>
</entry>
<entry>
<title>bootm: allow omitting entry point for IH_TYPE_KERNEL_NOLOAD</title>
<updated>2026-07-03T16:11:11Z</updated>
<author>
<name>Nora Schiffer</name>
<email>nora.schiffer@ew.tq-group.com</email>
</author>
<published>2026-06-22T11:19:33Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=c63051237f2bc79838a27473709948408acdf38b'/>
<id>urn:sha1:c63051237f2bc79838a27473709948408acdf38b</id>
<content type='text'>
For IH_TYPE_KERNEL_NOLOAD, the entry point is given relative to the
image start, making 0 a valid default, and for IH_OS_EFI, it is ignored
altogether, so it may be preferable to omit it.

Signed-off-by: Nora Schiffer &lt;nora.schiffer@ew.tq-group.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>bootm: warn about load address for IH_TYPE_KERNEL_NOLOAD in FIT</title>
<updated>2026-07-03T16:11:11Z</updated>
<author>
<name>Nora Schiffer</name>
<email>nora.schiffer@ew.tq-group.com</email>
</author>
<published>2026-06-22T11:19:32Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=c2abc606653e7eb1e8dbdbaaf1eac392689875ea'/>
<id>urn:sha1:c2abc606653e7eb1e8dbdbaaf1eac392689875ea</id>
<content type='text'>
The load address is ignored for IH_TYPE_KERNEL_NOLOAD. Instead of
failing the boot when none is set, it makes more sense to warn when it
*is* set.

Signed-off-by: Nora Schiffer &lt;nora.schiffer@ew.tq-group.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>bootm: fix flush_cache() with IH_TYPE_KERNEL_NOLOAD</title>
<updated>2026-07-03T16:11:11Z</updated>
<author>
<name>Nora Schiffer</name>
<email>nora.schiffer@ew.tq-group.com</email>
</author>
<published>2026-06-22T11:19:31Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=0f890963da2d463dd47ec77ef75b1324cc8064f9'/>
<id>urn:sha1:0f890963da2d463dd47ec77ef75b1324cc8064f9</id>
<content type='text'>
`flush_start` must be set after `load` has been assigned.

Fixes: 69544c4fd8b1 ("bootm: Support kernel_noload with compression")
Signed-off-by: Nora Schiffer &lt;nora.schiffer@ew.tq-group.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>bootm: move OS index bound check into the legacy path</title>
<updated>2026-07-01T18:42:23Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-06-19T14:45:51Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=3900903a588964555c9e76cca53ada7d217c00f7'/>
<id>urn:sha1:3900903a588964555c9e76cca53ada7d217c00f7</id>
<content type='text'>
Commit 103b1e7ce8cc ("bootm: bound-check OS index in
bootm_os_get_boot_func()") added a range check to the shared accessor so
an out-of-range OS id can no longer drive an out-of-bounds read of
boot_os[]. That accessor is reached by every image format, but only a
legacy uImage can deliver an unchecked value. bootm_find_os() takes the
raw 8-bit ih_os byte straight from image_get_os() for legacy images,
whereas the FIT path reaches the accessor only after fit_image_load()
has rejected any image whose os is not one of the supported types, and
the Android path hardcodes IH_OS_LINUX. The check can therefore never
fail for FIT, where it only adds confusion and code.

Move the test to the legacy branch of bootm_find_os(), rejecting an
out-of-range OS where the untrusted byte enters. This keeps the FIT path
clear and lets the check be compiled out when CONFIG_LEGACY_IMAGE_FORMAT
is disabled. A valid OS id that has no handler is still reported by the
existing NULL return path in bootm_run_states().

Suggested-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>bootm: increase kernel_noload decompression headroom from 4x to 8x</title>
<updated>2026-06-17T18:47:33Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-06-05T15:42:50Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=f42eac9dc8a8b8125920d8a18f7f64afedf1fbc5'/>
<id>urn:sha1:f42eac9dc8a8b8125920d8a18f7f64afedf1fbc5</id>
<content type='text'>
For a compressed kernel_noload image, bootm_load_os() allocates a buffer
of ALIGN(image_len * 4, SZ_1M). The 4x factor is at the edge of what
modern compressors (zstd, xz) achieve on real kernels, so a
well-compressed vendor kernel can fail to boot at runtime with no
intervening warning.

Bump the headroom to 8x. The buffer is still bounded by the compressed
image size, and the SZ_1M alignment keeps the overhead below 1 MiB on
small kernels.

Suggested-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
<entry>
<title>bootm: fix overflow of the noload kernel decompression buffer</title>
<updated>2026-06-17T18:47:33Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-06-05T15:42:49Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=914ebe8b16b40537c3b438bc213b738151018ec6'/>
<id>urn:sha1:914ebe8b16b40537c3b438bc213b738151018ec6</id>
<content type='text'>
For a compressed kernel_noload image, bootm_load_os() allocates a
decompression buffer sized to ALIGN(image_len * 4, SZ_1M), assuming the
kernel compresses by no more than a factor of four. It then passes
CONFIG_SYS_BOOTM_LEN, rather than the size of that buffer, to
image_decomp() as the output limit. The decompressors honour the limit
they are given, so a kernel that decompresses to more than four times
its compressed size is written past the end of the allocated buffer and
corrupts adjacent memory.

Pass the allocation size to image_decomp() and handle_decomp_error() so
decompression stops at the buffer boundary and fails cleanly when the
image is too large, instead of overflowing. The regular non-noload
paths are unchanged and continue to use CONFIG_SYS_BOOTM_LEN. When the
failure is triggered by the smaller per-image buffer, print a note so
that handle_decomp_error()'s generic advice to increase
CONFIG_SYS_BOOTM_LEN does not mislead the reader.

Fixes: 69544c4fd8b1 ("bootm: Support kernel_noload with compression")
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
<entry>
<title>Merge patch series "bootm: bound noload kernel decompression to the allocated buffer"</title>
<updated>2026-06-17T15:54:27Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-06-17T15:54:27Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=a57f2a31a7cd875dd96291394fb7c8c574b70a65'/>
<id>urn:sha1:a57f2a31a7cd875dd96291394fb7c8c574b70a65</id>
<content type='text'>
Aristo Chen &lt;aristo.chen@canonical.com&gt; says:

For a compressed kernel_noload image, bootm_load_os() allocates a
decompression buffer of ALIGN(image_len * 4, SZ_1M) and then passes
CONFIG_SYS_BOOTM_LEN (typically 128 MiB on arm64) to image_decomp() as
the output limit. The decompressors honour whatever limit they are
given, so a kernel that decompresses to more than four times its
compressed size runs past the end of the allocated buffer and silently
corrupts adjacent memory.

A 4x compression ratio is at the edge of what modern compressors
(zstd, xz) achieve on real kernels, and is trivially exceeded by
crafted, highly compressible payloads, so this is reachable both
accidentally and intentionally. The overflow can land on already-loaded
boot artefacts (FDT, ramdisk, loadables), U-Boot's own data, or
memory-mapped device registers; the existing post-decompression overlap
check in bootm_load_os() only catches overlap with the FIT itself.

Patch 1 plumbs the actual allocation size through to image_decomp() and
handle_decomp_error() via a single decomp_len variable, so
decompression stops at the buffer boundary and fails cleanly when the
image is too large. The non-noload code path is unchanged and continues
to use CONFIG_SYS_BOOTM_LEN. A clarifying note is printed when the
failure is gated by the per-image buffer, so the generic
"increase CONFIG_SYS_BOOTM_LEN" advice does not mislead.

Patch 2 raises the noload-decompression headroom from 4x to 8x. The 4x
factor is at the edge of what zstd and xz achieve on real kernels, so
well-compressed vendor kernels can fail to boot at runtime once the
bound is enforced. 8x covers them comfortably while remaining bounded.

Patch 3 adds two sandbox py-tests against the per-image buffer at the
final 8x value: one that exceeds the buffer and must be rejected, and
one that matches the buffer exactly and must succeed (guarding the
boundary).

Tested on sandbox: both new tests pass; the existing
test_fit_compressed_images_load (which covers the load-address path)
and the other tests in test/py/tests/test_fit.py continue to pass.

Link: https://lore.kernel.org/r/20260605154255.833334-1-aristo.chen@canonical.com
</content>
</entry>
<entry>
<title>bootm: increase kernel_noload decompression headroom from 4x to 8x</title>
<updated>2026-06-17T15:53:20Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-06-05T15:42:50Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=4956f108539135afb1afdec2b509f62291087d16'/>
<id>urn:sha1:4956f108539135afb1afdec2b509f62291087d16</id>
<content type='text'>
For a compressed kernel_noload image, bootm_load_os() allocates a buffer
of ALIGN(image_len * 4, SZ_1M). The 4x factor is at the edge of what
modern compressors (zstd, xz) achieve on real kernels, so a
well-compressed vendor kernel can fail to boot at runtime with no
intervening warning.

Bump the headroom to 8x. The buffer is still bounded by the compressed
image size, and the SZ_1M alignment keeps the overhead below 1 MiB on
small kernels.

Suggested-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
<entry>
<title>bootm: fix overflow of the noload kernel decompression buffer</title>
<updated>2026-06-17T15:53:20Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-06-05T15:42:49Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=2ff26c1e37858ba0b2fd12c82e114a3cedcb317a'/>
<id>urn:sha1:2ff26c1e37858ba0b2fd12c82e114a3cedcb317a</id>
<content type='text'>
For a compressed kernel_noload image, bootm_load_os() allocates a
decompression buffer sized to ALIGN(image_len * 4, SZ_1M), assuming the
kernel compresses by no more than a factor of four. It then passes
CONFIG_SYS_BOOTM_LEN, rather than the size of that buffer, to
image_decomp() as the output limit. The decompressors honour the limit
they are given, so a kernel that decompresses to more than four times
its compressed size is written past the end of the allocated buffer and
corrupts adjacent memory.

Pass the allocation size to image_decomp() and handle_decomp_error() so
decompression stops at the buffer boundary and fails cleanly when the
image is too large, instead of overflowing. The regular non-noload
paths are unchanged and continue to use CONFIG_SYS_BOOTM_LEN. When the
failure is triggered by the smaller per-image buffer, print a note so
that handle_decomp_error()'s generic advice to increase
CONFIG_SYS_BOOTM_LEN does not mislead the reader.

Fixes: 69544c4fd8b1 ("bootm: Support kernel_noload with compression")
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
</feed>
