Hi U-Boot maintainers, I would like to report a potential issue in bootm.c regarding FDT/OS image overlap checking.
In current mainline code: https://github.com/u-boot/u-boot/blob/master/boot/bootm.c#L448 We have the following logic: if (check_overlap("FDT", map_to_sysmem(images->ft_addr), images->ft_len, start, size)) return 1; However, `check_overlap()` expects the second and third parameters to be a memory **range**: [start, end). Here, `images->ft_len` is being passed directly as the `end` address, but in reality it is the **length**, not the end. This is misleading and could potentially cause overlap checks to pass incorrectly, especially if `map_to_sysmem(images->ft_addr)` is non-zero. To fix it, we should properly compute the end address: ```c ulong fdt_start = map_to_sysmem(images->ft_addr); ulong fdt_end = fdt_start + images->ft_len; if (check_overlap("FDT", fdt_start, fdt_end, start, start + size)) return 1; if (check_overlap("FDT", map_to_sysmem(images->ft_addr), map_to_sysmem(images->ft_addr) + images->ft_len, start, start + size)) return 1; Let me know if I should send a proper patch for this. -- *Best Regards* *Wayne Lin* -- *Best Regards* *Wayne Lin*
From abcdef1234567890abcdef1234567890abcdef12 Mon Sep 17 00:00:00 2001 From: Wayne Lin <[email protected]> Date: 2025-06-18 Subject: [PATCH] bootm: fix incorrect use of ft_len as end address in check_overlap() The current FDT overlap check in bootm.c passes `images->ft_len` as the end address to `check_overlap()`, but `ft_len` is the size of the FDT, not the absolute end address. This causes `check_overlap()` to misinterpret the range if `map_to_sysmem(images->ft_addr)` is non-zero, which it usually is. This patch computes the correct end address before calling `check_overlap()`. Signed-off-by: Wayne Lin <[email protected]> --- boot/bootm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/boot/bootm.c b/boot/bootm.c index b8fa85b68c..f23456789a 100644 --- a/boot/bootm.c +++ b/boot/bootm.c @@ -445,8 +445,10 @@ int bootm_find_images(int flag, int argc, char * const argv[]) /* check if FDT overlaps OS image */ - if (check_overlap("FDT", map_to_sysmem(images->ft_addr), - images->ft_len, start, size)) + ulong fdt_start = map_to_sysmem(images->ft_addr); + ulong fdt_end = fdt_start + images->ft_len; + if (check_overlap("FDT", fdt_start, fdt_end, + start, start + size)) return 1; return 0; -- 2.34.1
