| Age | Commit message (Collapse) | Author |
|
[email protected] <[email protected]> says:
From: Randolph Sapp <[email protected]>
Nitpicks and fixes from the discovery thread on adding PocketBeagle2 support
[1]. This does a lot of general setup required for the device, but these
modifications themselves aren't device specific. For those specifically
interested in PocketBeagle2 support and don't care about these details, my
development branch is public [2].
That first patch may provoke some opinions, but honestly if that warning was
still present I wouldn't have spent a week poking holes in both the EFI and LMB
allocations systems. Please let me know if there is a specific usecase that it
breaks though.
[1] https://lore.kernel.org/all/[email protected]/
[2] https://github.com/StaticRocket/u-boot/tree/feature/pocketbeagle2
Link: https://lore.kernel.org/r/[email protected]
|
|
Add a new global data struct member called initial_relocaddr. This
stores the original value of relocaddr, directly from setup_dest_addr.
This is specifically to avoid any adjustments made by other init
functions.
Reserve the memory from gd->start_addr_sp - CONFIG_STACK_SIZE to
gd->initial_relocaddr instead of gd->ram_top. This allows platform
specific relocation addresses to work without unnecessarily painting
over a large range.
Signed-off-by: Randolph Sapp <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
|
|
Add a image_fdt suite and a check for boot_fdt_add_mem_rsv_regions. This
will ensure the user is properly informed of any reservation failures.
It will also validate that reservations are cleaned up correctly when
switching FDTs.
Signed-off-by: Randolph Sapp <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Acked-by: Ilias Apalodimas <[email protected]>
|
|
Add a ut_ubman fixture to clean up after certain problematic tests
without negatively affecting the current assert based testing.
Currently this catches "bootstd bootflow_cmd_boot" and "bootstd
bootflow_scan_boot" ut_subtests, as these will change the sandbox state
a little too much to be recoverable from.
Signed-off-by: Randolph Sapp <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add a free flag and an initial call to free allocations covered by the
global FDT. This assumes that all calls to boot_fdt_add_mem_rsv_regions
occur before the transition to the new device tree, thus we can access
the currently active device tree through the global data pointer.
This allows us to clearly indicate to the user when a device tree
reservation fails. How we handle this can still use some improvement.
Right now we'll keep the default behavior and try to boot anyway.
Fixes: 5a6aa7d5913 ("boot: fdt: Handle already reserved memory in boot_fdt_reserve_region()")
Signed-off-by: Randolph Sapp <[email protected]>
Acked-by: Ilias Apalodimas <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Fixes: tag with a 12-char hash:
Fixes: 5a6aa7d59133 ("boot: fdt: Handle already reserved memory in
|
|
malloc() doesn't zero out memory, leaving ep->ep.enabled uninitiated,
which could make this flag falsely true.
In next usb_ep_enable() call since this flag is true, ep->ops->enable()
will be skipped. Then usb_ep_queue() will fail on uninitialized endpoint.
Fixes: 59310d1ecb9f ("usb: gadget: introduce 'enabled' flag in struct usb_ep")
Signed-off-by: Zixun LI <[email protected]>
Reviewed-by: Marek Vasut <[email protected]>
Reviewed-by: Mattijs Korpershoek <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Mattijs Korpershoek <[email protected]>
|
|
The boot selection rules state that a slot is bootable if it is not
corrupted and either has tries remaining or has already booted
successfully. However, slots that have tries_remaining == 0 and
successful_boot == 1 will be disregarded when picking the slot to
attempt.
Updates the selection logic so slots marked successful remain eligible
even when their tries counter is zero. Debug message now also includes
the successful_boot value.
Signed-off-by: Colin Pinnell McAllister <[email protected]>
Reviewed-by: Mattijs Korpershoek <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Mattijs Korpershoek <[email protected]>
|
|
blk_dwrite() returns the number of blocks written.
The code was only checking if the return value was different
than 0. Hence, partial writes were considered successful.
Fix blk_dwrite error handling by checking that all blocks
are written.
Signed-off-by: Francois Berder <[email protected]>
Reviewed-by: Mattijs Korpershoek <[email protected]>
Link: https://patch.msgid.link/BESP194MB2805BBD03E7C92727F116585DA0D2@BESP194MB2805.EURP194.PROD.OUTLOOK.COM
Signed-off-by: Mattijs Korpershoek <[email protected]>
|
|
Two fixes for R-Car Gen5 RSIP, one to surely build u-boot-elf.shdr and
one to make u-boot-elf.shdr compatible with tooling.
Two fixes for R-Car Gen4, which could hang in SPL without them.
|
|
ARM GIC-600 IP complies with ARM GICv3 architecture, but among others,
implements a power control register in the Redistributor frame. This
register must be programmed to mark the frame as powered on, before
accessing other registers in the frame.
Before the switch to generic lowlevel_init function, this did not pose
a problem as the previous custom lowlevel_init did not access the GICR
registers. The generic function does and that does lead to a hang early
in SPL. Enable the GIC600 initialization variant to mitigate the hang.
Fixes: 37997a214ed1 ("arm: renesas: Use stock lowlevel_init function and remove s_init")
Signed-off-by: Marek Vasut <[email protected]>
|
|
The mach_cpu_init() function is not invoked in SPL. Instead of
having two functions, fold mach_cpu_init() into board_init_f(),
which is called very early in the boot process and assures that
the CPG and APMU setup will be invoked before DM is brought up.
Fixes: 37997a214ed1 ("arm: renesas: Use stock lowlevel_init function and remove s_init")
Signed-off-by: Marek Vasut <[email protected]>
|
|
This brings in a number of FIT image validation fixes from Anton Ivanov
<[email protected]> that have security implications.
|
|
fdt_get_name() can return NULL and set len to a negative error code.
fdt_find_regions() does not check for this, leading to a potential NULL
pointer dereference and a buffer out-of-bounds write during signature
verification of an untrusted FIT. fdt_next_region(), fdt_check_full(),
and display_fdt_by_regions() also lack validation.
Add NULL checks and propagate the error code from fdt_get_name()
to the caller.
Signed-off-by: Anton Ivanov <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The SDK 4.32 flash_writer tool, built from the SDK IPL source, requires
SREC S7 "Start address (termination)" record [1] at the end of the SREC
file that is sent to it during installation of content into storage,
otherwise the tool waits for the S7 record indefinitelly and the payload
does not get installed into storage.
Specifically, the tool considers SREC S3 and S7 records as mandatory,
S0, S5, S6 as ignored, and any other records as unsupported.
Configure srec_cat such that it explicitly generates the trailing S7
record, and also that it never generates the ignored S5 Count record.
This fixes installation of u-boot-elf.shdr using the flash_writer tool,
which can not finish successfully without the trailing S7 record.
[1] https://en.wikipedia.org/wiki/Motorola_S-record#Record_types
Fixes: 3b2ce3743c1a ("arm: renesas: Generate u-boot-elf.shdr for R-Car Gen5 RSIP")
Signed-off-by: Marek Vasut <[email protected]>
|
|
Currently, the default build target for all R-Car Gen3/4/5 is the
u-boot-elf.srec, which depends on u-boot.bin and other vital build
artifacts, which get built as prerequisites. The R-Car Gen5 RSIP
port benefits from u-boot-elf.shdr being built as well, because the
u-boot-elf.shdr contains header used by the BootROM to load and
start U-Boot on the RSIP core. Because u-boot-elf.shdr depends on
u-boot-elf.srec, switch the default build target for R-Car Gen5
RSIP port to u-boot-elf.shdr. This way, both u-boot-elf.shdr and
u-boot-elf.srec are built for R-Car Gen5 RSIP port.
Fixes: 9d47a5a4d560 ("arm: renesas: Add Renesas R-Car R8A78000 X5H Cortex-M33 RSIP port")
Signed-off-by: Marek Vasut <[email protected]>
|
|
fit_image_get_data() uses the data-position, data-offset, and
data-size FIT properties without bounds checking. A crafted FIT
image can specify values that cause out-of-bounds read during
signature verification of an untrusted FIT.
Validate that the external data offset and size are non-negative,
and that the data region fits within the FIT image bounds.
Signed-off-by: Anton Ivanov <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
fdt_check_no_at() recurses into every subnode without a depth
limit. A deeply nested FIT image can exhaust the stack and crash
U-Boot during signature verification of an untrusted FIT.
Add a depth check using FDT_MAX_DEPTH to bound the recursion.
Signed-off-by: Anton Ivanov <[email protected]>
|
|
fdt_get_property_by_offset() returns NULL for FDT with version
less than 0x10. fdt_find_regions() dereferences the result without
checking, leading to a NULL pointer dereference during signature
verification of an untrusted FIT. fdt_add_alias_regions() and
fdt_next_region() also lack validation.
Add NULL checks before accessing the returned property pointer.
Also add a missing NULL check for fdt_string() in
fdt_add_alias_regions() and fdt_next_region().
Signed-off-by: Anton Ivanov <[email protected]>
|
|
fit_config_check_sig() reads the hashed-strings property and uses
its size value without validation when building the region list for
signature verification. A crafted FIT image can specify an arbitrary
size, causing the hash calculation to read beyond the end of the FIT
image. The property length is also not checked, so a truncated
hashed-strings property causes strings[1] to be read past the end of
the property. This may result in the out-of-bounds read during signature
verification of an untrusted FIT.
Validate both the property length and that the declared strings region
fits within bounds before adding it to the region list.
Signed-off-by: Anton Ivanov <[email protected]>
|
|
"Markus Schneider-Pargmann (TI)" <[email protected]> says:
The series is split into two logical groups:
- Patches 1-3: Fixes for am335x-evm to boot and support the LCD panel
with the current u-boot devicetree.
- Patches 4-17: Make upstream devicetree working with uboot. This
adds tick-timer, adds compatibility of the board code for different
USB probing, makes SPL smaller and updates the defconfig.
The series has been tested on am335x-evm. Note that I don't have all
other boards built with the am335x_*evm_*defconfig, so tests are
appreciated. buildman reports builds are working.
Link: https://lore.kernel.org/r/20260601-topic-am33-evm-oftree-v2026-01-v8-0-2c33c98e7ce5@baylibre.com/
|
|
These boards are not yet in the CONFIG_OF_LIST of the defconfigs, add
them and remove the local devicetrees.
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
Use dt_dir for the substitution of the DT paths to get the correct paths
even when switching to OF_UPSTREAM.
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
dt_dir should be usable within architecture Makefiles. Move the
definition of dt_dir above the architecture include.
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
CLK is an optional dependency of simple-pm-bus. Remove the dependency.
Fixes: 447bd8f1e5cf ("simple-pm-bus: Make clocks optional")
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
These devicetrees are not used anymore because the boards are using
upstream devicetrees now.
Acked-by: Andrew Davis <[email protected]>
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
The upstream devicetree uses simple-pm-bus, so CONFIG_POWER_DOMAIN is
required now. CONFIG_POWER_DOMAIN enables probing power domains, the PRM
power domain driver is requierd as well now.
CONFIG_PHANDLE_CHECK_SEQ is now needed as many device nodes are now
named for example mmc@0.
This switches all evm defconfig variants to use the upstream devicetree.
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
Reviewed-by: Kory Maincent <[email protected]>
|
|
Similar to SIMPLE_BUS, create a SPL_SIMPLE_PM_BUS additional to the
SIMPLE_PM_BUS. Most boards will not need SIMPLE_PM_BUS in SPL.
This is currently needed to reduce the SPL size for beagle bone black
with OF_UPSTREAM enabled.
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
Support musb being probed by ti,musb-am33xx. The non-upstream DT probing
used a wrapper driver that probed ti-musb-peripheral and ti-musb-host.
This wrapper registered as UCLASS_MISC, which is why it is requested in
this board.c file.
With the new devicetree the wrapper that registers as UCLASS_MISC is
gone, instead the UCLASS_USB and UCLASS_USB_GADGET_GENERIC have to be
requested.
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
Fix #else and #endif comments to match actual #if condition. Comments
incorrectly referenced CONFIG_USB_MUSB_* instead of CONFIG_AM335X_USB*
and CONFIG_XPL_BUILD.
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
This is required for am335x to boot correctly.
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
Upstream devicetrees do not have a binding for the tick-timer. Add it
for all boards built with the am335x_evm_defconfig.
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
Currently if USB fails to probe, U-Boot does not reach the console.
This patch does not fail if USB fails to probe making it easier to debug
in case of issues.
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
Much of the config symbols between the evm boards are the same
independent of the actual board. This patch creates a hierarchy for the
am335x_evm configs:
am335x_evm.config
`-> am335x_evm_defconfig
`-> am335x_evm_spiboot_defconfig
`-> am335x_hs_evm.config
`-> am335x_hs_evm_defconfig
`-> am335x_hs_evm_uart_defconfig
Reviewed-by: Tom Rini <[email protected]>
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
Enable SPL inline optimization to shrink the size. After enabling
OF_UPSTREAM the size is otherwise too big. Enable it before enabling
OF_UPSTREAM to maintain bisect ability.
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
Reviewed-by: Kory Maincent <[email protected]>
|
|
Enable vidconsole for the am335x-evm board.
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
Enable LCD panel support on am335x-evm:
- CLK_CCF and CLK_TI_* for display clock tree
- DM_PWM and PWM_TI_ECAP for backlight control
- VIDEO and AM335X_LCD for display controller
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
Add backlight phandle reference to panel node. Without this reference,
the display driver cannot control backlight, leaving the panel dark.
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Markus Schneider-Pargmann (TI) <[email protected]>
|
|
Franz Schnyder <[email protected]> says:
Currently, on the Toradex SMARC iMX95 and the Verdin iMX95 the ENETC
device is not enumerated before network initialization because
pci_init() is not called. As a result, no Ethernet device is registered.
Enable CONFIG_PCI_INIT_R so the PCI buses are enumerated early enough
for the Ethernet Controller to be detected and used.
Link: https://lore.kernel.org/r/20260612-fix-smarc-verdin-imx95-eth-v1-0-851197b36dcc@toradex.com
|
|
Currently, the ENETC device on iMX95 is not enumerated before network
initialization because pci_init() is not called. As a result, no
Ethernet device is registered.
Enable CONFIG_PCI_INIT_R so the PCI buses are enumerated early enough
for the Ethernet Controller to be detected and used.
Fixes: 60d8255d8dc0 ("board: toradex: add Toradex Verdin iMX95")
Signed-off-by: Franz Schnyder <[email protected]>
Reviewed-by: Francesco Dolcini <[email protected]>
|
|
Currently, the ENETC device on iMX95 is not enumerated before network
initialization because pci_init() is not called. As a result, no
Ethernet device is registered.
Enable CONFIG_PCI_INIT_R so the PCI buses are enumerated early enough
for the Ethernet Controller to be detected and used.
Fixes: ff0540fcfe49 ("board: toradex: add Toradex SMARC iMX95")
Signed-off-by: Franz Schnyder <[email protected]>
Reviewed-by: Francesco Dolcini <[email protected]>
|
|
dma-range fixups"
Aristo Chen <[email protected]> says:
boot/fdt_support.c contains a number of helpers that fix up the kernel
devicetree handed to the OS during bootm/booti. Several of those
helpers consume fdt_getprop() results without validating the returned
length against the per-entry size implied by the surrounding cell-count
arithmetic. When the OS devicetree is not signature-verified, for
example an unsigned FIT, a DT loaded from $fdtaddr or $fdtcontroladdr,
or a DT supplied over a network boot, the property is
attacker-influenced and the missing checks turn into out-of-bounds
reads or writes on the FDT blob and on stack buffers.
The first patch targets fdt_fixup_stdout(). The function copies the
value of /aliases/serialN into a fixed 256-byte stack buffer before
publishing it as /chosen/linux,stdout-path, but does not check that
the property fits. The patch rejects an oversized property with a
debug-only message and -FDT_ERR_NOSPACE so the unbounded memcpy
cannot run.
The second patch addresses fdt_get_dma_range(). The function reads
one full dma-ranges entry of (na + pna + ns) * sizeof(u32) bytes
after checking only that the returned length is non-zero. A
dma-ranges property shorter than one entry causes the subsequent
fdt_read_number() and fdt_translate_dma_address() calls to read past
the property within the FDT blob. The patch validates the length
against one full entry and returns -EINVAL when the property is too
short, matching the existing failure paths in this function.
Both rejection paths use debug() rather than printf() so production
builds do not pay any .text or .rodata growth for the new diagnostic
text. Measured against master on real cross-compiled targets, the v1
printf form added 88 bytes of .text on CMPCPRO_defconfig (which links
the fdt_fixup_stdout check) and 119 bytes on rpi_arm64_defconfig
(which links fdt_get_dma_range). The v2 debug form adds 0 bytes on
CMPCPRO and 20 bytes on rpi_arm64; the 20-byte residual is the
length-check branch itself, not the diagnostic.
Build tested with kontron_sl28_defconfig (aarch64),
CMPCPRO_defconfig (powerpc, which enables both
CONFIG_OF_STDOUT_VIA_ALIAS and CONFIG_CONS_INDEX and therefore links
the new bounds check in fdt_fixup_stdout), rpi_arm64_defconfig
(aarch64, links fdt_get_dma_range) and sandbox_defconfig. All builds
are clean and scripts/checkpatch.pl reports no errors, warnings, or
checks on either patch.
Link: https://lore.kernel.org/r/[email protected]
|
|
fdt_get_dma_range() fetches the dma-ranges property with fdt_getprop()
and checks only that the length is non-zero before reading one full
entry from it. The entry size depends on na, pna and ns cells returned
by count_cells, which come from the parent buses in the devicetree.
A dma-ranges property shorter than (na + pna + ns) * sizeof(u32) bytes
causes fdt_read_number() and fdt_translate_dma_address() to read past
the end of the property within the FDT blob, an out-of-bounds read of
attacker-influenced data when the OS devicetree is not signature
verified.
Reject the property when its length is smaller than one full entry and
return -EINVAL, matching the existing failure paths in this function.
Use debug() rather than printf() for the rejection text so that
production builds do not pay any .text or .rodata growth for the new
diagnostic.
Signed-off-by: Aristo Chen <[email protected]>
|
|
fdt_fixup_stdout() reads the path stored in /aliases/serialN with
fdt_getprop() and then memcpys it into a fixed 256-byte stack buffer.
The length returned by libfdt is the raw on-disk property size and is
not bounded by any console-path convention, so an oversized property
in a malformed or untrusted devicetree overflows the buffer with
attacker-controlled length and contents. The "/* long enough */"
comment next to tmp[] codifies an unchecked assumption.
Reject lengths that exceed sizeof(tmp) with a debug-only message and
return -FDT_ERR_NOSPACE. The fixup runs during fdt_chosen() on every
booted kernel when CONFIG_OF_STDOUT_VIA_ALIAS is enabled, and when
the OS devicetree is not signature-verified the property is reachable
from an attacker-influenced blob. Using debug() rather than printf()
keeps the rejection text out of production builds so there is no
.text or .rodata growth on space-constrained targets.
Signed-off-by: Aristo Chen <[email protected]>
|
|
dotted directories"
Aristo Chen <[email protected]> says:
The get_basename() helper in tools/fit_image.c searches the entire input
path independently for the last '/' and the last '.'. When the last '.'
falls at an offset earlier than the last '/', for example "./mydt",
"a.b/c" or "sub.d/leaf", 'end' points before 'start' and the computed
length is negative. The size check uses signed comparison so the negative
value flows unchanged into memcpy() (cast to size_t there) and mkimage
segfaults during -f auto FIT generation. The helper is reached on every
auto-FIT build via the -b, --fit-tee and --fit-tfa-bl31 file arguments.
The first patch restricts the dot search to the substring that follows
the last slash, which is the minimal fix and preserves the existing
behaviour for typical inputs such as "arch/arm/dts/foo.dtb".
The second patch adds a parametrized sandbox test under
test/py/tests/test_fit_mkimage_validate.py that drives mkimage -f auto
with each of the crashing inputs ("./mydt", "./sub.d/leaf", "./a.b/c")
plus one control input ("./mydt.dtb"). The test reads the resulting
/images/fdt-1 description back from the produced FIT via fdtget to verify
get_basename()'s output matches the expected stripped basename.
Reproducer that previously segfaulted and now produces a valid image:
echo dummy > kernel.bin
echo dummy > ./mydt
./tools/mkimage -f auto -A arm -O linux -T kernel -C none \
-a 0x80000000 -e 0x80000000 -n test \
-d kernel.bin -b ./mydt out.itb
Verified by rebuilding tools/mkimage on master and running the command
above with each of the four parametrized inputs. The three crash triggers
all segfault before the fix and now produce the expected fdt-1
descriptions ("mydt", "leaf", "c"); the control input "./mydt.dtb"
continues to produce "mydt" as before.
Link: https://lore.kernel.org/r/[email protected]
|
|
Add a parametrized regression test for the fix in the previous commit.
The test invokes mkimage in auto-FIT mode (-f auto) with a -b argument
whose directory component contains a '.' and whose leaf either lacks an
extension or is a plain identifier. Before the fix these inputs caused
get_basename() to compute a negative length and segfault inside memcpy.
The test asserts that mkimage exits successfully and that the fdt
sub-image description matches the expected stripped basename, covering
"./mydt", "./sub.d/leaf", and "./a.b/c". A control input of "./mydt.dtb"
is also exercised to confirm normal extension stripping still works.
Signed-off-by: Aristo Chen <[email protected]>
|
|
The get_basename() helper in tools/fit_image.c searches the entire input
path for the last '/' and the last '.' independently. When the last '.'
falls at an offset earlier than the last '/' (for example "./mydt",
"a.b/c", or "sub.d/leaf"), 'end' points before 'start' and the computed
length is negative. The subsequent size check uses signed comparison so
the negative value passes through unchanged, and memcpy() is then called
with that length implicitly cast to size_t, which segfaults.
Restrict the dot search to the substring that follows the last slash so
that only an extension in the filename component can become the end of
the basename. This matches the function's stated intent of stripping an
extension from the leaf, and keeps the existing behaviour for typical
inputs such as "arch/arm/dts/foo.dtb".
Reproducer that previously segfaulted and now produces a valid image:
echo dummy > kernel.bin
echo dummy > ./mydt
./tools/mkimage -f auto -A arm -O linux -T kernel -C none \
-a 0x80000000 -e 0x80000000 -n test \
-d kernel.bin -b ./mydt out.itb
Signed-off-by: Aristo Chen <[email protected]>
Reviewed-by: Quentin Schulz <[email protected]>
|
|
The boot_os[] table in bootm_os.c is a sparse array whose compile-time
size is set by its largest designated initializer (IH_OS_ELF), giving
it IH_OS_ELF + 1 entries. The accessor bootm_os_get_boot_func() returns
boot_os[os] without any bound check, even though the caller in
bootm_run_states() passes images->os.os straight through. That field is
populated by image_get_os() from the raw 8-bit ih_os byte of a legacy
uImage, and by fit_image_get_os() for a FIT, neither of which clamps
the value against the table size.
An attacker-supplied image whose OS field falls outside the populated
range therefore drives an out-of-bounds read of boot_os[]. The caller
only rejects a NULL return, so a non-NULL adjacent global is accepted
as a valid handler and invoked through the indirect call in
boot_selected_os(), turning an unsigned image with a malformed header
into a jump through an attacker-influenced function pointer. FIT
signature verification covers the os property and mitigates this path
for signed images, but legacy bootm and unsigned FIT do not.
Reject out-of-range indices in bootm_os_get_boot_func() so the existing
NULL handling in bootm_run_states() reports an unsupported OS and
declines to boot the image.
Signed-off-by: Aristo Chen <[email protected]>
|
|
dev_read_addr returns FDT_ADDR_T_NONE (-1) in case of error
and not 0.
Signed-off-by: Francois Berder <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The CPSW3G instance of CPSW on AM62AX SoC provides Ethernet functionality.
Currently, Ethernet is supported on Linux which runs on the A53 core on the
SoC, by allocating all of the DMA resources associated with CPSW to A53_2.
In order to enable use-cases where the Ethernet traffic is sent from or
consumed by various CPU cores on the SoC simultaneously, while at the
same time, maintaining backward compatibility with the existing use-case
of A53 being the sole entity that exchanges traffic with CPSW via DMA,
update the DMA resource sharing scheme on AM62AX SoC to the following:
--------------- -------------- ------------- ----------------
Resource WKUP_R5 MCU_R5 A53_2
--------------- -------------- ------------- ----------------
TX Channels [8] => 4 (Primary) 4 (Primary) 8 (Secondary)
TX Rings [64] => 32 (Primary) 32 (Primary) 64 (Secondary)
RX Channels [1] => 1 (Primary) 0 1 (Secondary)
RX Flows [16] => 6 (Primary) 10 (Primary) 16 (Secondary)
In the absence of primary owners of resources (existing use-case
where A53 owns all of the CPSW DMA resources), the secondary owner
can claim all of the resources as its own. For shared use-cases,
the resources that are not claimed by the primary are communicated
to the secondary owner allowing it to claim them. This ensures that
Linux on A53_2 can continue claiming all DMA resources associated
with CPSW in the absence of primary owners, while at the same time
providing users the flexibility to share CPSW DMA resources across
various CPU cores listed above if needed.
While Linux has been mentioned as the Operating System running
on A53, there is no dependency between the Operating System
running on A53 and its ability to claim the CPSW DMA resources
listed above.
Signed-off-by: Siddharth Vadapalli <[email protected]>
Acked-by: Anshul Dalal <[email protected]>
|
|
sc59x processors have 6 I2C controllers, but their devicetrees
currently have only 3. The length of its register block should
be 0x100 instead of 0x1000. All I2C nodes should be disabled in
sc5xx.dtsi. They can be enabled in board devicetree files if
they are used on the boards. Add missing I2C controllers and
fix the above issues.
Signed-off-by: Jie Zhang <[email protected]>
|