[openwrt/openwrt] uboot-mediatek: fix various environment errors on u-boot v2025.07

Mon Jul 28 07:08:12 PDT 2025

dangole pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/8a63382018c072ba8c3e9f2a40b216e9a35f2536

commit 8a63382018c072ba8c3e9f2a40b216e9a35f2536
Author: Shiji Yang <yangshiji66 at outlook.com>
AuthorDate: Mon Jul 21 21:53:33 2025 +0800

    uboot-mediatek: fix various environment errors on u-boot v2025.07
    
    Fix the crash and warnings for the newly introduced env on mtd
    implementation. Also backport an out-of-bound access fix for the
    "askenv" command.
    
    Fixes: 41a9c9de66a7 ("uboot-mediatek: update to v2025.07")
    Signed-off-by: Shiji Yang <yangshiji66 at outlook.com>
---
 ...sible-out-of-bound-access-in-env_do_env_s.patch | 55 ++++++++++++++++++++++
 ...01-env-mtd-add-the-missing-put_mtd_device.patch | 47 ++++++++++++++++++
 ...0-02-env-mtd-initialize-saved_buf-pointer.patch | 25 ++++++++++
 3 files changed, 127 insertions(+)

diff --git a/package/boot/uboot-mediatek/patches/006-env-Fix-possible-out-of-bound-access-in-env_do_env_s.patch b/package/boot/uboot-mediatek/patches/006-env-Fix-possible-out-of-bound-access-in-env_do_env_s.patch
new file mode 100644
index 0000000000..f98dcfe95f
--- /dev/null
+++ b/package/boot/uboot-mediatek/patches/006-env-Fix-possible-out-of-bound-access-in-env_do_env_s.patch
@@ -0,0 +1,55 @@
+From 0ffd456516b5f0c126c9705d6b2368a45ee2353f Mon Sep 17 00:00:00 2001
+From: Christian Marangi <ansuelsmth at gmail.com>
+Date: Sun, 29 Jun 2025 15:21:18 +0200
+Subject: [PATCH] env: Fix possible out-of-bound access in env_do_env_set
+
+It was discovered that env_do_env_set() currently suffer from a long
+time of a possible out-of-bound access for the argv array handling.
+
+The BUG is present in the function env_do_env_set() line:
+
+name = argv[1];
+
+where the function at this point assume the argv at index 1 is always
+present and can't be NULL. Aside from the fact that it's always
+better to validate argv entry with the argc variable, situation where
+the argv[1] is NULL is actually possible and not an error condition.
+
+A example of where an out-of-bound access is triggered is with the
+command "askenv - Press ENTER to ...".
+This is a common pattern for bootmenu entry to ask the user input after
+a bootmenu command succeeded.
+
+In the context of such command, the while loop before "name = argv[1];"
+parse the "-" char as an option arg and increment the argv pointer by
+one (to make the rest of the logic code ignore the option argv) and
+decrement argc value.
+
+The while loop logic is correct but at the "name = argv[1];" line, the
+argv have only one element left (the "-" char) and accessing argv[1]
+(aka the secong element from argv pointer) cause an out-of-bound access
+(making the bootloader eventually crash with strchr searching in invalid
+data)
+
+To better handle this and prevent the out-of-bound access, actually
+check the argv entry left (with the use of the argc variable) and exit
+early before doing any kind of array access.
+
+Signed-off-by: Christian Marangi <ansuelsmth at gmail.com>
+---
+ env/common.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/env/common.c
++++ b/env/common.c
+@@ -82,6 +82,10 @@ int env_do_env_set(int flag, int argc, c
+ 		}
+ 	}
+ 	debug("Final value for argc=%d\n", argc);
++	/* Exit early if we don't have an env to apply */
++	if (argc < 2)
++		return 0;
++
+ 	name = argv[1];
+ 
+ 	if (strchr(name, '=')) {
diff --git a/package/boot/uboot-mediatek/patches/130-01-env-mtd-add-the-missing-put_mtd_device.patch b/package/boot/uboot-mediatek/patches/130-01-env-mtd-add-the-missing-put_mtd_device.patch
new file mode 100644
index 0000000000..61c4b6e8b1
--- /dev/null
+++ b/package/boot/uboot-mediatek/patches/130-01-env-mtd-add-the-missing-put_mtd_device.patch
@@ -0,0 +1,47 @@
+From 0508c8e120d275d994e6099eb9c60bfaec0c3f5f Mon Sep 17 00:00:00 2001
+From: Shiji Yang <yangshiji66 at outlook.com>
+Date: Mon, 21 Jul 2025 21:32:16 +0800
+Subject: [PATCH 1/2] env: mtd: add the missing put_mtd_device()
+
+The mtd device is got in setup_mtd_device(), we must put the mtd
+device before exiting the function to update the mtd use count. This
+patch fixes the following env error:
+
+> Removing MTD device #2 (u-boot-env) with use count 1
+> Error when deleting partition "u-boot-env" (-16)
+
+Fixes: 03fb08d4aef8 ("env: Introduce support for MTD")
+Signed-off-by: Shiji Yang <yangshiji66 at outlook.com>
+---
+ env/mtd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/env/mtd.c
++++ b/env/mtd.c
+@@ -131,6 +131,8 @@ static int env_mtd_save(void)
+ 	puts("done\n");
+ 
+ done:
++	put_mtd_device(mtd_env);
++
+ 	if (saved_buf)
+ 		free(saved_buf);
+ 
+@@ -188,6 +190,8 @@ static int env_mtd_load(void)
+ 		gd->env_valid = ENV_VALID;
+ 
+ out:
++	put_mtd_device(mtd_env);
++
+ 	free(buf);
+ 
+ 	return ret;
+@@ -280,6 +284,8 @@ static int env_mtd_erase(void)
+ 	ret = 0;
+ 
+ done:
++	put_mtd_device(mtd_env);
++
+ 	if (saved_buf)
+ 		free(saved_buf);
+ 
diff --git a/package/boot/uboot-mediatek/patches/130-02-env-mtd-initialize-saved_buf-pointer.patch b/package/boot/uboot-mediatek/patches/130-02-env-mtd-initialize-saved_buf-pointer.patch
new file mode 100644
index 0000000000..206d3b3560
--- /dev/null
+++ b/package/boot/uboot-mediatek/patches/130-02-env-mtd-initialize-saved_buf-pointer.patch
@@ -0,0 +1,25 @@
+From 0ef932f509fd9f9215af2ea4ca2919d3285ddf60 Mon Sep 17 00:00:00 2001
+From: Shiji Yang <yangshiji66 at outlook.com>
+Date: Thu, 24 Jul 2025 07:50:40 +0800
+Subject: [PATCH 2/2] env: mtd: initialize saved_buf pointer
+
+When sect_size is greater than CONFIG_ENV_SIZE, this wild
+pointer will cause CPU halt or system crash.
+
+Fixes: 03fb08d4aef8 ("env: Introduce support for MTD")
+Signed-off-by: Shiji Yang <yangshiji66 at outlook.com>
+---
+ env/mtd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/env/mtd.c
++++ b/env/mtd.c
+@@ -201,7 +201,7 @@ static int env_mtd_erase(void)
+ {
+ 	struct mtd_info *mtd_env;
+ 	u32 sect_size, sect_num;
+-	char *saved_buf, *tmp;
++	char *saved_buf = NULL, *tmp;
+ 	struct erase_info ei;
+ 	size_t ret_len;
+ 	int remaining;


