On Tue, Jan 06, 2026 at 11:16:33AM -0600, Tom Rini wrote: > On Tue, Dec 23, 2025 at 05:44:56PM -0600, Chris Morgan wrote: > > > From: Chris Morgan <[email protected]> > > > > It looks like under certain circumstances when reading the vendor_boot > > partition it causes my device to write outside the range of memory > > available. Near as I can tell this occurs because > > scan_vendor_boot_part() calls android_image_get_vendor_bootimg_size() > > which calls android_vendor_boot_image_v3_v4_parse_hdr() which calls > > add_trailer() which attempts to copy information to a buffer allocated > > with malloc in the scan_vendor_boot_part() function. On my board the > > memory set aside for malloc is at the top of the system RAM, and given > > a large enough vendor boot image size this causes the write from > > add_trailer() to occur outside of the system RAM (nevermind outside > > of what was allocated with the malloc(). > > > > While I don't know the absolute best way to handle this, I would assume > > that if we simply map the memory we want to use to where we will > > eventually load the vendor_boot image that would be the most logical. > > > > Fixes: abadcda24b10 ("bootstd: android: don't read whole partition sizes") > > Signed-off-by: Chris Morgan <[email protected]> > > --- > > boot/bootmeth_android.c | 20 ++++++-------------- > > 1 file changed, 6 insertions(+), 14 deletions(-) > > > > diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c > > index 1374551dbeb..c2c25d53ef3 100644 > > --- a/boot/bootmeth_android.c > > +++ b/boot/bootmeth_android.c > > @@ -118,9 +118,10 @@ static int scan_vendor_boot_part(struct udevice *blk, > > struct android_priv *priv) > > struct blk_desc *desc = dev_get_uclass_plat(blk); > > struct disk_partition partition; > > char partname[PART_NAME_LEN]; > > - ulong num_blks, bufsz; > > + ulong num_blks; > > char *buf; > > int ret; > > + ulong vloadaddr = env_get_hex("vendor_boot_comp_addr_r", 0); > > > > if (priv->slot) > > sprintf(partname, VENDOR_BOOT_PART_NAME "_%s", priv->slot); > > @@ -132,28 +133,19 @@ static int scan_vendor_boot_part(struct udevice *blk, > > struct android_priv *priv) > > return log_msg_ret("part info", ret); > > > > num_blks = DIV_ROUND_UP(sizeof(struct andr_vnd_boot_img_hdr), > > desc->blksz); > > - bufsz = num_blks * desc->blksz; > > - buf = malloc(bufsz); > > + buf = map_sysmem(vloadaddr, 0); > > if (!buf) > > return log_msg_ret("buf", -ENOMEM); > > > > ret = blk_read(blk, partition.start, num_blks, buf); > > - if (ret != num_blks) { > > - free(buf); > > + if (ret != num_blks) > > return log_msg_ret("part read", -EIO); > > - } > > > > - if (!is_android_vendor_boot_image_header(buf)) { > > - free(buf); > > + if (!is_android_vendor_boot_image_header(buf)) > > return log_msg_ret("header", -ENOENT); > > - } > > > > - if (!android_image_get_vendor_bootimg_size(buf, > > &priv->vendor_boot_img_size)) { > > - free(buf); > > + if (!android_image_get_vendor_bootimg_size(buf, > > &priv->vendor_boot_img_size)) > > return log_msg_ret("get vendor bootimg size", -EINVAL); > > - } > > - > > - free(buf); > > > > return 0; > > } > > I haven't forgotten about this, but I'm hoping there's some other way to > solve this, I'm not super keen on adding another environment variable > (that would need to be documented in a v2 if we can't fix this some > other way). Mattijs, do you have any ideas? >
Would using hdr->ramdisk_addr as the end address in android_vendor_boot_image_v3_v4_parse_hdr() work instead of (ulong)hdr? That of course assumes the ram disk isn't manually loaded elsewhere. Thank you, Chris > -- > Tom
