commit 2a70f084c5b9e44fb95b19e3af6b892a28212afc
author Simon Glass <sjg@chromium.org> Wed Jan 15 18:27:06 2025 -0700
committer Tom Rini <trini@konsulko.com> Wed Jan 22 09:47:49 2025 -0600
tree 92e92d35800c4ca824fbf9fe23ae3964c49545c0
parent 1833c26b09b7dfc291ca8306a89fd66049617ce8

vbe: Convert some checks to assertions

VBE is currently quite careful with function arguments because it is
used in VPL which cannot be updated after manufacture. Bugs can cause
security holes.

Unfortunately this adds to code size.

In several cases we are reading values from a devicetree which is part
of U-Boot (or at least VPL) and so known to be good. Also, in several
places, getting bad values does not matter.

So change a few checks to assert() to reduce code size.

Signed-off-by: Simon Glass <sjg@chromium.org>

boot/vbe_simple.c

diff --git a/boot/vbe_simple.c b/boot/vbe_simple.c
index 1b9cf27..313f063 100644
--- a/boot/vbe_simple.c
+++ b/boot/vbe_simple.c
@@ -27,12 +27,17 @@
 {
 	int start;
 
-	if (priv->version_size > MMC_MAX_BLOCK_LEN)
-		return log_msg_ret("ver", -E2BIG);
+	/* we can use an assert() here since we already read only one block */
+	assert(priv->version_size <= MMC_MAX_BLOCK_LEN);
 
 	start = priv->area_start + priv->version_offset;
-	if (start & (MMC_MAX_BLOCK_LEN - 1))
-		return log_msg_ret("get", -EBADF);
+
+	/*
+	 * we can use an assert() here since reading the wrong block will just
+	 * cause an invalid version-string to be (safely) read
+	 */
+	assert(!(start & (MMC_MAX_BLOCK_LEN - 1)));
+
 	start /= MMC_MAX_BLOCK_LEN;
 
 	if (blk_read(blk, start, 1, buf) != 1)
@@ -51,12 +56,21 @@
 	const struct vbe_nvdata *nvd;
 	int start;
 
-	if (priv->state_size > MMC_MAX_BLOCK_LEN)
-		return log_msg_ret("state", -E2BIG);
+	/* we can use an assert() here since we already read only one block */
+	assert(priv->state_size <= MMC_MAX_BLOCK_LEN);
 
 	start = priv->area_start + priv->state_offset;
-	if (start & (MMC_MAX_BLOCK_LEN - 1))
-		return log_msg_ret("get", -EBADF);
+
+	/*
+	 * We can use an assert() here since reading the wrong block will just
+	 * cause invalid state to be (safely) read. If the crc passes, then we
+	 * obtain invalid state and it will likely cause booting to fail.
+	 *
+	 * VBE relies on valid values being in U-Boot's devicetree, so this
+	 * should not every be wrong on a production device.
+	 */
+	assert(!(start & (MMC_MAX_BLOCK_LEN - 1)));
+
 	start /= MMC_MAX_BLOCK_LEN;
 
 	if (blk_read(blk, start, 1, buf) != 1)
@@ -67,7 +81,7 @@
 	if (hdr_ver != NVD_HDR_VER_CUR)
 		return log_msg_ret("hdr", -EPERM);
 	size = 1 << hdr_size;
-	if (size > sizeof(*nvd))
+	if (!size || size > sizeof(*nvd))
 		return log_msg_ret("sz", -ENOEXEC);
 
 	crc = crc8(0, buf + 1, size - 1);