diff options
author | Braden Kell <bradenkell@google.com> | 2018-08-24 13:54:18 -0700 |
---|---|---|
committer | faqiang.zhu <faqiang.zhu@nxp.com> | 2018-11-12 09:18:34 +0800 |
commit | 2081a25561c4dcc066cb7fee1a70db7111cfa5ab (patch) | |
tree | 68c8084b31a43863ce5af9f6c9baedcc582fa9da /drivers | |
parent | 434e104b7df161492415c29be24c70dc7c126211 (diff) |
Fix buffer overflow in kernel cmdline handling
Flashing a signed vbmeta image adds extra
parameters to the kernel command line, overflowing
the buffer and corrupting the global data struct.
Increase the command line buffer size from 512
to 1024 to accomodate the extra data, and change
the sprintf's to snprintf's to prevent this from
happening if more parameters are added later.
This bug was exposed by
Idd55dde79eed793dccdd7319600fbd04e11ca12d.
Bug: 112397808
Test: Device boots with images from console and
from local build.
Change-Id: If73d04007d54193527e11e11c6ef326110e899b6
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/usb/gadget/f_fastboot.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c index ae8fe80955..df5e458ca3 100644 --- a/drivers/usb/gadget/f_fastboot.c +++ b/drivers/usb/gadget/f_fastboot.c @@ -2097,13 +2097,13 @@ int do_boota(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) { printf(" boot '%s%s' still\n", avb_loadpart->partition_name, avb_out_data->ab_suffix); } - char bootargs_sec[ANDR_BOOT_ARGS_SIZE]; + char bootargs_sec[ANDR_BOOT_EXTRA_ARGS_SIZE]; if (lock_status == FASTBOOT_LOCK) { - sprintf(bootargs_sec, + snprintf(bootargs_sec, sizeof(bootargs_sec), "androidboot.verifiedbootstate=green androidboot.slot_suffix=%s %s", avb_out_data->ab_suffix, avb_out_data->cmdline); } else { - sprintf(bootargs_sec, + snprintf(bootargs_sec, sizeof(bootargs_sec), "androidboot.verifiedbootstate=orange androidboot.slot_suffix=%s %s", avb_out_data->ab_suffix, avb_out_data->cmdline); } |