From 8a63382018c072ba8c3e9f2a40b216e9a35f2536 Mon Sep 17 00:00:00 2001 From: Shiji Yang Date: Mon, 21 Jul 2025 21:53:33 +0800 Subject: [PATCH] uboot-mediatek: fix various environment errors on u-boot v2025.07 Fix the crash and warnings for the newly introduced env on mtd implementation. Also backport an out-of-bound access fix for the "askenv" command. Fixes: 41a9c9de66a7 ("uboot-mediatek: update to v2025.07") Signed-off-by: Shiji Yang --- ...-out-of-bound-access-in-env_do_env_s.patch | 55 +++++++++++++++++++ ...v-mtd-add-the-missing-put_mtd_device.patch | 47 ++++++++++++++++ ...env-mtd-initialize-saved_buf-pointer.patch | 25 +++++++++ 3 files changed, 127 insertions(+) create mode 100644 package/boot/uboot-mediatek/patches/006-env-Fix-possible-out-of-bound-access-in-env_do_env_s.patch create mode 100644 package/boot/uboot-mediatek/patches/130-01-env-mtd-add-the-missing-put_mtd_device.patch create mode 100644 package/boot/uboot-mediatek/patches/130-02-env-mtd-initialize-saved_buf-pointer.patch diff --git a/package/boot/uboot-mediatek/patches/006-env-Fix-possible-out-of-bound-access-in-env_do_env_s.patch b/package/boot/uboot-mediatek/patches/006-env-Fix-possible-out-of-bound-access-in-env_do_env_s.patch new file mode 100644 index 00000000000..f98dcfe95f1 --- /dev/null +++ b/package/boot/uboot-mediatek/patches/006-env-Fix-possible-out-of-bound-access-in-env_do_env_s.patch @@ -0,0 +1,55 @@ +From 0ffd456516b5f0c126c9705d6b2368a45ee2353f Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Sun, 29 Jun 2025 15:21:18 +0200 +Subject: [PATCH] env: Fix possible out-of-bound access in env_do_env_set + +It was discovered that env_do_env_set() currently suffer from a long +time of a possible out-of-bound access for the argv array handling. + +The BUG is present in the function env_do_env_set() line: + +name = argv[1]; + +where the function at this point assume the argv at index 1 is always +present and can't be NULL. Aside from the fact that it's always +better to validate argv entry with the argc variable, situation where +the argv[1] is NULL is actually possible and not an error condition. + +A example of where an out-of-bound access is triggered is with the +command "askenv - Press ENTER to ...". +This is a common pattern for bootmenu entry to ask the user input after +a bootmenu command succeeded. + +In the context of such command, the while loop before "name = argv[1];" +parse the "-" char as an option arg and increment the argv pointer by +one (to make the rest of the logic code ignore the option argv) and +decrement argc value. + +The while loop logic is correct but at the "name = argv[1];" line, the +argv have only one element left (the "-" char) and accessing argv[1] +(aka the secong element from argv pointer) cause an out-of-bound access +(making the bootloader eventually crash with strchr searching in invalid +data) + +To better handle this and prevent the out-of-bound access, actually +check the argv entry left (with the use of the argc variable) and exit +early before doing any kind of array access. + +Signed-off-by: Christian Marangi +--- + env/common.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/env/common.c ++++ b/env/common.c +@@ -82,6 +82,10 @@ int env_do_env_set(int flag, int argc, c + } + } + debug("Final value for argc=%d\n", argc); ++ /* Exit early if we don't have an env to apply */ ++ if (argc < 2) ++ return 0; ++ + name = argv[1]; + + if (strchr(name, '=')) { diff --git a/package/boot/uboot-mediatek/patches/130-01-env-mtd-add-the-missing-put_mtd_device.patch b/package/boot/uboot-mediatek/patches/130-01-env-mtd-add-the-missing-put_mtd_device.patch new file mode 100644 index 00000000000..61c4b6e8b1c --- /dev/null +++ b/package/boot/uboot-mediatek/patches/130-01-env-mtd-add-the-missing-put_mtd_device.patch @@ -0,0 +1,47 @@ +From 0508c8e120d275d994e6099eb9c60bfaec0c3f5f Mon Sep 17 00:00:00 2001 +From: Shiji Yang +Date: Mon, 21 Jul 2025 21:32:16 +0800 +Subject: [PATCH 1/2] env: mtd: add the missing put_mtd_device() + +The mtd device is got in setup_mtd_device(), we must put the mtd +device before exiting the function to update the mtd use count. This +patch fixes the following env error: + +> Removing MTD device #2 (u-boot-env) with use count 1 +> Error when deleting partition "u-boot-env" (-16) + +Fixes: 03fb08d4aef8 ("env: Introduce support for MTD") +Signed-off-by: Shiji Yang +--- + env/mtd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/env/mtd.c ++++ b/env/mtd.c +@@ -131,6 +131,8 @@ static int env_mtd_save(void) + puts("done\n"); + + done: ++ put_mtd_device(mtd_env); ++ + if (saved_buf) + free(saved_buf); + +@@ -188,6 +190,8 @@ static int env_mtd_load(void) + gd->env_valid = ENV_VALID; + + out: ++ put_mtd_device(mtd_env); ++ + free(buf); + + return ret; +@@ -280,6 +284,8 @@ static int env_mtd_erase(void) + ret = 0; + + done: ++ put_mtd_device(mtd_env); ++ + if (saved_buf) + free(saved_buf); + diff --git a/package/boot/uboot-mediatek/patches/130-02-env-mtd-initialize-saved_buf-pointer.patch b/package/boot/uboot-mediatek/patches/130-02-env-mtd-initialize-saved_buf-pointer.patch new file mode 100644 index 00000000000..206d3b3560f --- /dev/null +++ b/package/boot/uboot-mediatek/patches/130-02-env-mtd-initialize-saved_buf-pointer.patch @@ -0,0 +1,25 @@ +From 0ef932f509fd9f9215af2ea4ca2919d3285ddf60 Mon Sep 17 00:00:00 2001 +From: Shiji Yang +Date: Thu, 24 Jul 2025 07:50:40 +0800 +Subject: [PATCH 2/2] env: mtd: initialize saved_buf pointer + +When sect_size is greater than CONFIG_ENV_SIZE, this wild +pointer will cause CPU halt or system crash. + +Fixes: 03fb08d4aef8 ("env: Introduce support for MTD") +Signed-off-by: Shiji Yang +--- + env/mtd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/env/mtd.c ++++ b/env/mtd.c +@@ -201,7 +201,7 @@ static int env_mtd_erase(void) + { + struct mtd_info *mtd_env; + u32 sect_size, sect_num; +- char *saved_buf, *tmp; ++ char *saved_buf = NULL, *tmp; + struct erase_info ei; + size_t ret_len; + int remaining; -- 2.47.2