--- /dev/null
+From 0ffd456516b5f0c126c9705d6b2368a45ee2353f Mon Sep 17 00:00:00 2001
+From: Christian Marangi <ansuelsmth@gmail.com>
+Date: Sun, 29 Jun 2025 15:21:18 +0200
+Subject: [PATCH] env: Fix possible out-of-bound access in env_do_env_set
+
+It was discovered that env_do_env_set() currently suffer from a long
+time of a possible out-of-bound access for the argv array handling.
+
+The BUG is present in the function env_do_env_set() line:
+
+name = argv[1];
+
+where the function at this point assume the argv at index 1 is always
+present and can't be NULL. Aside from the fact that it's always
+better to validate argv entry with the argc variable, situation where
+the argv[1] is NULL is actually possible and not an error condition.
+
+A example of where an out-of-bound access is triggered is with the
+command "askenv - Press ENTER to ...".
+This is a common pattern for bootmenu entry to ask the user input after
+a bootmenu command succeeded.
+
+In the context of such command, the while loop before "name = argv[1];"
+parse the "-" char as an option arg and increment the argv pointer by
+one (to make the rest of the logic code ignore the option argv) and
+decrement argc value.
+
+The while loop logic is correct but at the "name = argv[1];" line, the
+argv have only one element left (the "-" char) and accessing argv[1]
+(aka the secong element from argv pointer) cause an out-of-bound access
+(making the bootloader eventually crash with strchr searching in invalid
+data)
+
+To better handle this and prevent the out-of-bound access, actually
+check the argv entry left (with the use of the argc variable) and exit
+early before doing any kind of array access.
+
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+---
+ env/common.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/env/common.c
++++ b/env/common.c
+@@ -82,6 +82,10 @@ int env_do_env_set(int flag, int argc, c
+ }
+ }
+ debug("Final value for argc=%d\n", argc);
++ /* Exit early if we don't have an env to apply */
++ if (argc < 2)
++ return 0;
++
+ name = argv[1];
+
+ if (strchr(name, '=')) {
--- /dev/null
+From 0508c8e120d275d994e6099eb9c60bfaec0c3f5f Mon Sep 17 00:00:00 2001
+From: Shiji Yang <yangshiji66@outlook.com>
+Date: Mon, 21 Jul 2025 21:32:16 +0800
+Subject: [PATCH 1/2] env: mtd: add the missing put_mtd_device()
+
+The mtd device is got in setup_mtd_device(), we must put the mtd
+device before exiting the function to update the mtd use count. This
+patch fixes the following env error:
+
+> Removing MTD device #2 (u-boot-env) with use count 1
+> Error when deleting partition "u-boot-env" (-16)
+
+Fixes: 03fb08d4aef8 ("env: Introduce support for MTD")
+Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
+---
+ env/mtd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/env/mtd.c
++++ b/env/mtd.c
+@@ -131,6 +131,8 @@ static int env_mtd_save(void)
+ puts("done\n");
+
+ done:
++ put_mtd_device(mtd_env);
++
+ if (saved_buf)
+ free(saved_buf);
+
+@@ -188,6 +190,8 @@ static int env_mtd_load(void)
+ gd->env_valid = ENV_VALID;
+
+ out:
++ put_mtd_device(mtd_env);
++
+ free(buf);
+
+ return ret;
+@@ -280,6 +284,8 @@ static int env_mtd_erase(void)
+ ret = 0;
+
+ done:
++ put_mtd_device(mtd_env);
++
+ if (saved_buf)
+ free(saved_buf);
+
--- /dev/null
+From 0ef932f509fd9f9215af2ea4ca2919d3285ddf60 Mon Sep 17 00:00:00 2001
+From: Shiji Yang <yangshiji66@outlook.com>
+Date: Thu, 24 Jul 2025 07:50:40 +0800
+Subject: [PATCH 2/2] env: mtd: initialize saved_buf pointer
+
+When sect_size is greater than CONFIG_ENV_SIZE, this wild
+pointer will cause CPU halt or system crash.
+
+Fixes: 03fb08d4aef8 ("env: Introduce support for MTD")
+Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
+---
+ env/mtd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/env/mtd.c
++++ b/env/mtd.c
+@@ -201,7 +201,7 @@ static int env_mtd_erase(void)
+ {
+ struct mtd_info *mtd_env;
+ u32 sect_size, sect_num;
+- char *saved_buf, *tmp;
++ char *saved_buf = NULL, *tmp;
+ struct erase_info ei;
+ size_t ret_len;
+ int remaining;
projects / thirdparty / openwrt.git / commitdiff
