update_disk.c: enforce bound over memcpy#806
Conversation
There was a problem hiding this comment.
Pull request overview
Adds an explicit size cap for disk-based RAM loads so an attacker-controlled fw_size in an unauthenticated header can’t drive an out-of-bounds write into the RAM load region, and adds regression coverage + example configuration updates.
Changes:
- Enforces
WOLFBOOT_RAMBOOT_MAX_SIZEavailability for non-FSP disk boot and checksfw_sizeagainst it before reading the payload to RAM. - Adds a new unit test (
unit-update-disk-oob) to detect/guard against RAM OOB writes, plus updates the unit-test Makefile to wire it in and to cap the existingunit-update-diskbuffer. - Updates Zynq SD-card example configs to define a reasonable
WOLFBOOT_RAMBOOT_MAX_SIZEcap.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
src/update_disk.c |
Adds compile-time requirement for WOLFBOOT_RAMBOOT_MAX_SIZE (non-FSP) and runtime bound check before disk-to-RAM load. |
tools/unit-tests/unit-update-disk-oob.c |
New regression test that validates oversize fw_size is rejected without writing past the RAM load buffer. |
tools/unit-tests/Makefile |
Registers the new test and defines WOLFBOOT_RAMBOOT_MAX_SIZE for disk-loader unit tests. |
config/examples/zynqmp_sdcard.config |
Adds WOLFBOOT_RAMBOOT_MAX_SIZE cap for disk-boot loads. |
config/examples/zynq7000_sdcard.config |
Adds WOLFBOOT_RAMBOOT_MAX_SIZE cap for disk-boot loads. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
I am doing some regression on Zynq. Should have results soon and will merge.
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
Confirmed fixes issue. Tested on ZC702 and ZCU102 and also verified the regression.
┌─────┬───────────────────────────────────────────────────────────────┬────────┐
│ # │ Test │ Result │
├─────┼───────────────────────────────────────────────────────────────┼────────┤
│ 1 │ Both SD configs build (no #error, no new warnings) │ PASS │
├─────┼───────────────────────────────────────────────────────────────┼────────┤
│ 2 │ Host unit tests (unit-update-disk + unit-update-disk-oob) │ PASS │
├─────┼───────────────────────────────────────────────────────────────┼────────┤
│ 3 │ Positive: normal image boots via update_disk.c │ PASS │
├─────┼───────────────────────────────────────────────────────────────┼────────┤
│ 4 │ Negative-A: forged oversize rejected, falls back to good slot │ PASS │
├─────┼───────────────────────────────────────────────────────────────┼────────┤
│ 5 │ Negative-B: PR 806's new bound fires directly on HW │ PASS │
└─────┴───────────────────────────────────────────────────────────────┴────────┘
PR 806 - Zynq Regression Test Report
Change: bound the unauthenticated on-disk fw_size against WOLFBOOT_RAMBOOT_MAX_SIZE before the disk->RAM copy in src/update_disk.c (prevents a pre-auth OOB write); adds the cap to both Zynq SD configs + a host OOB unit test.
Result: all PASS.
| Test | ZC702 (Cortex-A9) | ZCU102 (ZynqMP A53) |
|---|---|---|
| Build SD config (clean) | PASS | PASS |
Host unit tests (unit-update-disk, unit-update-disk-oob) |
PASS | PASS |
Positive: normal image boots via update_disk.c |
PASS | PASS |
Negative: oversize fw_size rejected, falls back to good slot |
PASS | PASS |
Evidence (negative test):
- ZC702 (FIXED parts):
Image size 805306368 > max 6290432-> fallback boots good slot. - ZCU102 (non-FIXED):
Image size 805306368 > max 734003200(0x2BC00000) -> fallback boots good slot. - Forged
fw_size=0x30000000is rejected before any disk-to-RAM load; good slot boots normally.
Method: real SD-card disk boot exercising update_disk.c. ZC702 via JTAG-loaded wolfBoot + inserted SD; ZCU102 via SD boot (BOOT.BIN: FSBL->PMUFW->BL31->wolfBoot EL2). RSA4096/SHA3 on ZynqMP, ECC256/SHA256 on Zynq-7000.
Notes:
- New
update_disk.cline is defense-in-depth;wolfBoot_open_image_addressalready enforces the same/tighter bound first on both configs, so the redundant guard is exercised in isolation byunit-update-disk-oob. - No regressions: normal under-cap images boot end-to-end on both boards.
ZD#21988