From 6981c59de37d7355deb295f15c374e7e1cc61cba Mon Sep 17 00:00:00 2001 From: CTCaer Date: Wed, 17 Mar 2021 09:14:50 +0200 Subject: [PATCH] gpt: properly check that GPT is valid --- bootloader/storage/nx_emmc.c | 5 +++++ .../frontend/gui_tools_partition_manager.c | 17 ++++++++++------- nyx/nyx_gui/storage/nx_emmc.c | 5 +++++ 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/bootloader/storage/nx_emmc.c b/bootloader/storage/nx_emmc.c index 1f870b1..223c449 100644 --- a/bootloader/storage/nx_emmc.c +++ b/bootloader/storage/nx_emmc.c @@ -34,6 +34,10 @@ void nx_emmc_gpt_parse(link_t *gpt, sdmmc_storage_t *storage) emummc_storage_read(NX_GPT_FIRST_LBA, NX_GPT_NUM_BLOCKS, gpt_buf); + // Check if no GPT or more than max allowed entries. + if (memcmp(&gpt_buf->header.signature, "EFI PART", 8) || gpt_buf->header.num_part_ents > 128) + goto out; + for (u32 i = 0; i < gpt_buf->header.num_part_ents; i++) { emmc_part_t *part = (emmc_part_t *)calloc(sizeof(emmc_part_t), 1); @@ -54,6 +58,7 @@ void nx_emmc_gpt_parse(link_t *gpt, sdmmc_storage_t *storage) list_append(gpt, &part->link); } +out: free(gpt_buf); } diff --git a/nyx/nyx_gui/frontend/gui_tools_partition_manager.c b/nyx/nyx_gui/frontend/gui_tools_partition_manager.c index 3bd2059..5cc6816 100644 --- a/nyx/nyx_gui/frontend/gui_tools_partition_manager.c +++ b/nyx/nyx_gui/frontend/gui_tools_partition_manager.c @@ -750,7 +750,7 @@ static u32 _get_available_l4t_partition() // Search for a suitable partition. u32 size_sct = 0; - if (!memcmp(&gpt->header.signature, "EFI PART", 8)) + if (!memcmp(&gpt->header.signature, "EFI PART", 8) || gpt->header.num_part_ents > 128) { for (u32 i = 0; i < gpt->header.num_part_ents; i++) { @@ -791,7 +791,7 @@ static bool _get_available_android_partition() sdmmc_storage_read(&sd_storage, 1, sizeof(gpt_t) >> 9, gpt); // Check if GPT. - if (memcmp(&gpt->header.signature, "EFI PART", 8)) + if (memcmp(&gpt->header.signature, "EFI PART", 8) || gpt->header.num_part_ents > 128) goto out; // Find kernel partition. @@ -998,7 +998,7 @@ static lv_res_t _action_flash_android_data(lv_obj_t * btns, const char * txt) sdmmc_storage_read(&sd_storage, 1, sizeof(gpt_t) >> 9, gpt); bool boot_twrp = false; - if (memcmp(&gpt->header.signature, "EFI PART", 8)) + if (memcmp(&gpt->header.signature, "EFI PART", 8) || gpt->header.num_part_ents > 128) { lv_label_set_text(lbl_status, "#FFDD00 Error:# No Android GPT was found!"); goto error; @@ -1941,7 +1941,7 @@ static void create_mbox_check_files_total_size() lv_obj_t *lbl_part = lv_label_create(h1, NULL); lv_label_set_recolor(lbl_part, true); - lv_label_set_text(lbl_part, "#00DDFF Current partition layout:#"); + lv_label_set_text(lbl_part, "#00DDFF Current MBR partition layout:#"); // Read current MBR. mbr_t mbr = { 0 }; @@ -2059,9 +2059,9 @@ static lv_res_t _action_fix_mbr(lv_obj_t *btn) sd_unmount(); - if (memcmp(&gpt->header.signature, "EFI PART", 8)) + if (memcmp(&gpt->header.signature, "EFI PART", 8) || gpt->header.num_part_ents > 128) { - lv_label_set_text(lbl_status, "#FFDD00 Warning:# No GPT was found!"); + lv_label_set_text(lbl_status, "#FFDD00 Warning:# No valid GPT was found!"); goto out; } @@ -2110,7 +2110,10 @@ static lv_res_t _action_fix_mbr(lv_obj_t *btn) break; } - mbr[1].partitions[mbr_idx].type = 0xEE; // GPT protective partition. + nx_emmc_gpt_free(&gpt_parsed); + + // Set GPT protective partition. + mbr[1].partitions[mbr_idx].type = 0xEE; mbr[1].partitions[mbr_idx].start_sct = 1; mbr[1].partitions[mbr_idx].size_sct = sd_storage.sec_cnt - 1; diff --git a/nyx/nyx_gui/storage/nx_emmc.c b/nyx/nyx_gui/storage/nx_emmc.c index 2a945f3..f7a2a94 100644 --- a/nyx/nyx_gui/storage/nx_emmc.c +++ b/nyx/nyx_gui/storage/nx_emmc.c @@ -33,6 +33,10 @@ void nx_emmc_gpt_parse(link_t *gpt, sdmmc_storage_t *storage) sdmmc_storage_read(storage, NX_GPT_FIRST_LBA, NX_GPT_NUM_BLOCKS, gpt_buf); + // Check if no GPT or more than max allowed entries. + if (memcmp(&gpt_buf->header.signature, "EFI PART", 8) || gpt_buf->header.num_part_ents > 128) + goto out; + for (u32 i = 0; i < gpt_buf->header.num_part_ents; i++) { emmc_part_t *part = (emmc_part_t *)calloc(sizeof(emmc_part_t), 1); @@ -53,6 +57,7 @@ void nx_emmc_gpt_parse(link_t *gpt, sdmmc_storage_t *storage) list_append(gpt, &part->link); } +out: free(gpt_buf); }