From: Simon Glass Date: Thu, 16 Jan 2025 01:27:06 +0000 (-0700) Subject: vbe: Convert some checks to assertions X-Git-Tag: v2025.04-rc1~32^2~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27008ce51388faa448bf7b20b7e8104b8bc972a6;p=thirdparty%2Fu-boot.git vbe: Convert some checks to assertions VBE is currently quite careful with function arguments because it is used in VPL which cannot be updated after manufacture. Bugs can cause security holes. Unfortunately this adds to code size. In several cases we are reading values from a devicetree which is part of U-Boot (or at least VPL) and so known to be good. Also, in several places, getting bad values does not matter. So change a few checks to assert() to reduce code size. Signed-off-by: Simon Glass --- diff --git a/boot/vbe_simple.c b/boot/vbe_simple.c index 1b9cf276921..313f063fa18 100644 --- a/boot/vbe_simple.c +++ b/boot/vbe_simple.c @@ -27,12 +27,17 @@ static int simple_read_version(const struct simple_priv *priv, { int start; - if (priv->version_size > MMC_MAX_BLOCK_LEN) - return log_msg_ret("ver", -E2BIG); + /* we can use an assert() here since we already read only one block */ + assert(priv->version_size <= MMC_MAX_BLOCK_LEN); start = priv->area_start + priv->version_offset; - if (start & (MMC_MAX_BLOCK_LEN - 1)) - return log_msg_ret("get", -EBADF); + + /* + * we can use an assert() here since reading the wrong block will just + * cause an invalid version-string to be (safely) read + */ + assert(!(start & (MMC_MAX_BLOCK_LEN - 1))); + start /= MMC_MAX_BLOCK_LEN; if (blk_read(blk, start, 1, buf) != 1) @@ -51,12 +56,21 @@ static int simple_read_nvdata(const struct simple_priv *priv, const struct vbe_nvdata *nvd; int start; - if (priv->state_size > MMC_MAX_BLOCK_LEN) - return log_msg_ret("state", -E2BIG); + /* we can use an assert() here since we already read only one block */ + assert(priv->state_size <= MMC_MAX_BLOCK_LEN); start = priv->area_start + priv->state_offset; - if (start & (MMC_MAX_BLOCK_LEN - 1)) - return log_msg_ret("get", -EBADF); + + /* + * We can use an assert() here since reading the wrong block will just + * cause invalid state to be (safely) read. If the crc passes, then we + * obtain invalid state and it will likely cause booting to fail. + * + * VBE relies on valid values being in U-Boot's devicetree, so this + * should not every be wrong on a production device. + */ + assert(!(start & (MMC_MAX_BLOCK_LEN - 1))); + start /= MMC_MAX_BLOCK_LEN; if (blk_read(blk, start, 1, buf) != 1) @@ -67,7 +81,7 @@ static int simple_read_nvdata(const struct simple_priv *priv, if (hdr_ver != NVD_HDR_VER_CUR) return log_msg_ret("hdr", -EPERM); size = 1 << hdr_size; - if (size > sizeof(*nvd)) + if (!size || size > sizeof(*nvd)) return log_msg_ret("sz", -ENOEXEC); crc = crc8(0, buf + 1, size - 1);