From mboxrd@z Thu Jan  1 00:00:00 1970
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Date: Fri, 15 Jan 2021 13:19:19 +0100
Subject: [PATCH] autoboot: fix illegal memory access when stop key and
 delay key are empty
In-Reply-To: <HK2PR04MB3891CBB4241D01AC35808CA181A70@HK2PR04MB3891.apcprd04.prod.outlook.com>
References: <HK2PR04MB3891CBB4241D01AC35808CA181A70@HK2PR04MB3891.apcprd04.prod.outlook.com>
Message-ID: <7b1208ef-ab69-6247-9f5d-689703199b35@gmx.de>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On 15.01.21 04:11, Yuezhang.Mo at sony.com wrote:
> If both stop key and delay key are empty, the length of these
> keys is 0. The subtraction operation will cause the u_int type
> variable to overflow, will cause illegal memory access in key
> input loop.
>
> This commit fixes this bug by using int type instead of u_init.
> ---
>  common/autoboot.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/common/autoboot.c b/common/autoboot.c
> index e628baffb8..61fb09f910 100644
> --- a/common/autoboot.c
> +++ b/common/autoboot.c
> @@ -156,9 +156,9 @@ static int passwd_abort_key(uint64_t etime)
>  	};
>
>  	char presskey[MAX_DELAY_STOP_STR];
> -	u_int presskey_len = 0;
> -	u_int presskey_max = 0;
> -	u_int i;
> +	int presskey_len = 0;
> +	int presskey_max = 0;

Both indices cannot be negative. So it is understandable that u_int was
chosen. You could avoid the subtraction instead of changing the type:

-for (i = 0; i < presskey_max - 1; i++)
+for (i = 0; i + 1 < presskey_max; i++)

Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

> +	int i;
>
>  #  ifdef CONFIG_AUTOBOOT_DELAY_STR
>  	if (delaykey[0].str == NULL)
>