From 01bf572be8a04b2c4c32b9c6118a084061b42b48 Mon Sep 17 00:00:00 2001
From: Bill Richardson <wfrichar@chromium.org>
Date: Fri, 11 Nov 2011 13:16:51 -0800
Subject: [PATCH] Sanity-check output of VbExDiskGetInfo()

BUG=chromium-os:22724
TEST=none

Source change only, nothing for QA to test.

Change-Id: I058137c04622b5aedae4a94ce6e3887325c16974
Reviewed-on: https://gerrit.chromium.org/gerrit/11546
Tested-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
---
 firmware/lib/vboot_api_kernel.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c
index 76ab9ae0ca..dadcfcd51b 100644
--- a/firmware/lib/vboot_api_kernel.c
+++ b/firmware/lib/vboot_api_kernel.c
@@ -69,6 +69,15 @@ uint32_t VbTryLoadKernel(VbCommonParams* cparams, LoadKernelParams* p,
   /* Loop over disks */
   for (i = 0; i < disk_count; i++) {
     VBDEBUG(("VbTryLoadKernel() trying disk %d\n", (int)i));
+    /* Sanity-check what we can. FWIW, VbTryLoadKernel() is always called
+     * with only a single bit set in get_info_flags
+     */
+    if (512 != disk_info[i].bytes_per_lba || /* cgptlib restriction */
+        32 > disk_info[i].lba_count ||       /* ditto */
+        get_info_flags != disk_info[i].flags) { /* got only what we asked for */
+      VBDEBUG(("  skipping - bogus parameters\n"));
+      continue;
+    }
     p->disk_handle = disk_info[i].handle;
     p->bytes_per_lba = disk_info[i].bytes_per_lba;
     p->ending_lba = disk_info[i].lba_count - 1;