spl: spl_legacy: Add extra address checks

Check whether the loaded image or entry point does not overlap SPL.

Signed-off-by: Marek Vasut <marex@denx.de>

cmd/Kconfig

@@ -362,7 +362,8 @@ config BOOTM_VXWORKS
 
 config SYS_BOOTM_LEN
 	hex "Maximum size of a decompresed OS image"
-	depends on CMD_BOOTM || CMD_BOOTI || CMD_BOOTZ
+	depends on CMD_BOOTM || CMD_BOOTI || CMD_BOOTZ || \
+		   LEGACY_IMAGE_FORMAT || SPL_LEGACY_IMAGE_FORMAT
 	default 0x4000000 if PPC || ARM64
 	default 0x1000000 if X86 || ARCH_MX6 || ARCH_MX7
 	default 0x800000

common/spl/spl_legacy.c

@@ -7,6 +7,7 @@
 #include <image.h>
 #include <log.h>
 #include <malloc.h>
+#include <asm/sections.h>
 #include <spl.h>
 
 #include <lzma/LzmaTypes.h>
@@ -15,6 +16,22 @@
 
 #define LZMA_LEN	(1 << 20)
 
+static void spl_parse_legacy_validate(uintptr_t start, uintptr_t size)
+{
+	uintptr_t spl_start = (uintptr_t)_start;
+	uintptr_t spl_end = (uintptr_t)__bss_end;
+	uintptr_t end = start + size;
+
+	if ((start >= spl_start && start < spl_end) ||
+	    (end > spl_start && end <= spl_end) ||
+	    (start < spl_start && end >= spl_end) ||
+	    (start > end && end > spl_start))
+		panic("SPL: Image overlaps SPL\n");
+
+	if (size > CONFIG_SYS_BOOTM_LEN)
+		panic("SPL: Image too large\n");
+}
+
 int spl_parse_legacy_header(struct spl_image_info *spl_image,
 			    const struct legacy_img_hdr *header)
 {
@@ -58,6 +75,9 @@ int spl_parse_legacy_header(struct spl_image_info *spl_image,
 	      "payload image: %32s load addr: 0x%lx size: %d\n",
 	      spl_image->name, spl_image->load_addr, spl_image->size);
 
+	spl_parse_legacy_validate(spl_image->load_addr, spl_image->size);
+	spl_parse_legacy_validate(spl_image->entry_point, 0);
+
 	return 0;
 }