u-boot.git/common/spl, branch v2025.07 Unnamed repository; edit this file 'description' to name the repository. common/spl: guard against buffer overflow in spl_fit_get_image_name() 2025-06-26T17:58:17+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2025-06-24T15:34:31+00:00 79f8f31d58dfcd2b3563c32f1cf1097cee4d7f76 A malformed FIT image could have an image name property that is not NUL terminated. Reject such images. Reported-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Tested-by: E Shattow <e@freeshell.de> 
A malformed FIT image could have an image name property that is not NUL
terminated. Reject such images.

Reported-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: E Shattow <e@freeshell.de>
common/spl: Revert fix potential out of buffer access in spl_fit_get_image_name function 2025-06-26T17:58:17+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2025-06-24T15:34:30+00:00 6ef9a89c1da433108ac89deab58954c6e2b798ba The change in commit 3704b888a4ca ("common/spl: fix potential out of buffer access in spl_fit_get_image_name function") led to function spl_fit_get_image_name() no longer detecting if a property does not exist at a non-zero buffer. Link: https://lore.kernel.org/u-boot/38f5d078-3328-4bdb-9c95-4fb5fe89ddc2@gmx.de/T/#m59f3a23e675daa992c28d12236de71cae2ca2bb9 Fixes: 3704b888a4ca ("common/spl: fix potential out of buffer access in spl_fit_get_image_name function") Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Tested-by: E Shattow <e@freeshell.de> 
The change in commit 3704b888a4ca ("common/spl: fix potential out of buffer
access in spl_fit_get_image_name function") led to function
spl_fit_get_image_name() no longer detecting if a property does not exist
at a non-zero buffer.

Link: https://lore.kernel.org/u-boot/38f5d078-3328-4bdb-9c95-4fb5fe89ddc2@gmx.de/T/#m59f3a23e675daa992c28d12236de71cae2ca2bb9
Fixes: 3704b888a4ca ("common/spl: fix potential out of buffer access in spl_fit_get_image_name function")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: E Shattow <e@freeshell.de>
common/spl: improve error handling in spl_fit 2025-06-19T17:01:51+00:00 Mikhail Kshevetskiy mikhail.kshevetskiy@iopsys.eu 2025-06-10T09:56:32+00:00 8bb9c275c484206c0314014d8215770aaac4cefe This fix a possible NULL pointer dereference. There is also a risk of memory leaking within the same portion of code. The leak will happen if loaded image is bad or damaged. In this case u-boot-spl will try booting from the other available media. Unfortunately resources allocated for previous boot media will NOT be freed. We can't fix that issue as the memory allocation mechanism used here is unknown. It can be different kinds of malloc() or something else. To somewhat reduce memory consumption, one can try to reuse previously allocated memory as it's done in board_spl_fit_buffer_addr() from test/image/spl_load.c. The corresponding comment was put to the code as well. Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu> Reviewed-by: Anshul Dalal <anshuld@ti.com> 
This fix a possible NULL pointer dereference.

There is also a risk of memory leaking within the same portion of code.
The leak will happen if loaded image is bad or damaged. In this case
u-boot-spl will try booting from the other available media. Unfortunately
resources allocated for previous boot media will NOT be freed.

We can't fix that issue as the memory allocation mechanism used here
is unknown. It can be different kinds of malloc() or something else.

To somewhat reduce memory consumption, one can try to reuse previously
allocated memory as it's done in board_spl_fit_buffer_addr() from
test/image/spl_load.c.

The corresponding comment was put to the code as well.

Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Reviewed-by: Anshul Dalal <anshuld@ti.com>
common/spl: handle properly images with bad checksum 2025-06-19T17:01:51+00:00 Mikhail Kshevetskiy mikhail.kshevetskiy@iopsys.eu 2025-06-10T09:56:31+00:00 3eb43c54fadba457f22e415a2821145164efe662 load_simple_fit() returns -EPERM for the images with broken signatures. Unfortunately this may conflict with image loaging selection on the base of boot phase. See commit 873112db9ce68c38984ff25808dde726f8dd5573 ("spl: Support selecting images based on phase in simple FIT"). Thus loading of configurations { uboot { description = "u-boot"; firmware = "atf"; loadables = "atf", "tee", "uboot"; }; }; with damaged "tee" image may finish without errors. This may results in board bricking. This patch fixes commit 873112db9ce68c38984ff25808dde726f8dd5573 ("spl: Support selecting images based on phase in simple FIT") by replacing EPERM with EBADSLT places where it should be done. Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu> 
load_simple_fit() returns -EPERM for the images with broken signatures.
Unfortunately this may conflict with image loaging selection on the base
of boot phase. See commit 873112db9ce68c38984ff25808dde726f8dd5573
("spl: Support selecting images based on phase in simple FIT").

Thus loading of

	configurations {
		uboot {
			description = "u-boot";
			firmware = "atf";
			loadables = "atf", "tee", "uboot";
		};
	};

with damaged "tee" image may finish without errors. This may results in
board bricking.

This patch fixes commit 873112db9ce68c38984ff25808dde726f8dd5573
("spl: Support selecting images based on phase in simple FIT")
by replacing EPERM with EBADSLT places where it should be done.

Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
common/spl: fix potential out of buffer access in spl_fit_get_image_name function 2025-06-19T17:01:51+00:00 Mikhail Kshevetskiy mikhail.kshevetskiy@iopsys.eu 2025-06-10T09:56:30+00:00 3704b888a4cabac8daea20a4504d513bc47153ca The current code have two issues: 1) ineffective NULL pointer check str = strchr(str, '\0') + 1 if (!str || ... The str here will never be NULL (because we add 1 to result of strchr()) 2) strchr() may go out of the buffer for the special forms of name variable. It's better use memchr() function here. According to the code the property is a sequence of C-string like shown below: 'h', 'e', 'l', 'l', 'o', '\0', 'w', 'o', 'r', 'l', 'd', '\0', '!', '\0' index is the string number we are interested, so index = 0 => "hello", index = 1 => "world", index = 2 => "!" The issue will arrise if last string for some reason have no terminating '\0' character. This can happen for damaged or specially crafted dtb. Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu> Reviewed-by: Tom Rini <trini@konsulko.com> 
The current code have two issues:
1) ineffective NULL pointer check

	str = strchr(str, '\0') + 1
	if (!str || ...

   The str here will never be NULL (because we add 1 to result of strchr())

2) strchr() may go out of the buffer for the special forms of name variable.
   It's better use memchr() function here.

   According to the code the property is a sequence of C-string like
   shown below:

     'h', 'e', 'l', 'l', 'o', '\0', 'w', 'o', 'r', 'l', 'd', '\0', '!', '\0'

   index is the string number we are interested, so

     index = 0   =>  "hello",
     index = 1   =>  "world",
     index = 2   =>  "!"

   The issue will arrise if last string for some reason have no terminating
   '\0' character. This can happen for damaged or specially crafted dtb.

Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Reviewed-by: Tom Rini <trini@konsulko.com>
spl: Kconfig: support U-Boot load from raw NAND 2025-05-21T10:52:29+00:00 Dario Binacchi dario.binacchi@amarulasolutions.com 2025-05-20T08:54:16+00:00 8acea298bb82c38b20855cd46a46b9e418dc1fb0 Commit 2a00d73d081a ("spl: mmc: Try to clean up raw-mode options") breaks the boot of the BSH SMM S2 board. As stated in the commit itself, "Some boards use this value even though MMC is not enabled in SPL, for example imx8mn_bsh_smm_s2". Support load of the U-Boot image from raw NAND sector. This is equivalent to load from MMC raw sector. Fixes: 2a00d73d081a ("spl: mmc: Try to clean up raw-mode options") Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> 
Commit 2a00d73d081a ("spl: mmc: Try to clean up raw-mode options") breaks
the boot of the BSH SMM S2 board. As stated in the commit itself, "Some
boards use this value even though MMC is not enabled in SPL, for example
imx8mn_bsh_smm_s2".

Support load of the U-Boot image from raw NAND sector. This is equivalent
to load from MMC raw sector.

Fixes: 2a00d73d081a ("spl: mmc: Try to clean up raw-mode options")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
rockchip: Add SPL_PAD_TO Kconfig default value 2025-05-06T07:58:25+00:00 Jonas Karlman jonas@kwiboo.se 2025-04-13T19:59:37+00:00 ce0dccf4593d2eefcb6b0c3145a2f0dd7490d900 Almost all Rockchip boards use the same Kconfig value for SPL_PAD_TO, 0x7f8000. u-boot-rockchip.bin is typically written to offset 64S (32KiB) of MMC media. u-boot.itb (or u-boot.img) is typically expected at offset 16384S (8MiB) of MMC media (SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x4000). SPL_PAD_TO is used as the offset for u-boot.itb (or u-boot.img) in the generated simple-bin binman image, and can be calculated as: SPL_PAD_TO = (16384S - 64S) * 512 = 0x7f8000 Add this value as a default value for ARCH_ROCKCHIP. Signed-off-by: Jonas Karlman <jonas@kwiboo.se> Reviewed-by: Kever Yang <kever.yang@rock-chips.com> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> 
Almost all Rockchip boards use the same Kconfig value for SPL_PAD_TO,
0x7f8000.

u-boot-rockchip.bin is typically written to offset 64S (32KiB) of MMC
media. u-boot.itb (or u-boot.img) is typically expected at offset 16384S
(8MiB) of MMC media (SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x4000).

SPL_PAD_TO is used as the offset for u-boot.itb (or u-boot.img) in the
generated simple-bin binman image, and can be calculated as:

  SPL_PAD_TO = (16384S - 64S) * 512 = 0x7f8000

Add this value as a default value for ARCH_ROCKCHIP.

Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
spl: imx: use trampoline buffer to load images to secure region 2025-05-03T19:55:32+00:00 Ye Li ye.li@nxp.com 2025-04-28T10:37:36+00:00 2f8b24d5cc34e5c4c466a29539e5a01b14423cac When SPL loading image to secure region, for example, ATF and tee to DDR secure region. Because the USDHC controller is non-secure master, it can't access this region and will cause loading issue. So use a trampoline buffer in non-secure region, then use CPU to copy the image from trampoline buffer to destination secure region. Signed-off-by: Ye Li <ye.li@nxp.com> Signed-off-by: Alice Guo <alice.guo@nxp.com> Reviewed-by: Peng Fan <peng.fan@nxp.com> 
When SPL loading image to secure region, for example, ATF and tee to
DDR secure region. Because the USDHC controller is non-secure master,
it can't access this region and will cause loading issue.

So use a trampoline buffer in non-secure region, then use CPU to copy the
image from trampoline buffer to destination secure region.

Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Alice Guo <alice.guo@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
configs: set SPL_TEXT_BASE by default for k3 platforms 2025-04-24T14:23:07+00:00 Anshul Dalal anshuld@ti.com 2025-04-15T09:50:27+00:00 7d8c3fa26c954f575842d739b4e0b9def4eefae6 SPL_TEXT_BASE is used as the load address for the main domain SPL on k3 platforms. Since the config value is the same for every board, this patch sets the value 0x80080000 as default for all 64-bit ARCH_K3, 0x43c00000 as default for the R5 cores and deletes the instances of SPL_TEXT_BASE in individual defconfigs. Signed-off-by: Anshul Dalal <anshuld@ti.com> Reviewed-by: Tom Rini <trini@konsulko.com> 
SPL_TEXT_BASE is used as the load address for the main domain SPL on k3
platforms.

Since the config value is the same for every board, this patch sets the
value 0x80080000 as default for all 64-bit ARCH_K3, 0x43c00000 as
default for the R5 cores and deletes the instances of SPL_TEXT_BASE in
individual defconfigs.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
ARM: mvebu: Correct SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR usage 2025-04-16T06:05:15+00:00 Tom Rini trini@konsulko.com 2025-03-15T01:29:05+00:00 9af45190d6dbe4d7369c01c34b6fe40dc00d8663 As the code is today, we get a warning about "select" statements on "choice" options not doing anything. However, it also works as intended because SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR is the default option within that choice statement. To guard against future regressions, make the choice statement in common/spl/Kconfig have an explicit default if MVEBU_SPL_BOOT_DEVICE_MMC. Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Stefan Roese <sr@denx.de> 
As the code is today, we get a warning about "select" statements on
"choice" options not doing anything. However, it also works as intended
because SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR is the default option
within that choice statement. To guard against future regressions, make
the choice statement in common/spl/Kconfig have an explicit default if
MVEBU_SPL_BOOT_DEVICE_MMC.

Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Stefan Roese <sr@denx.de>