Check the uploaded ARM binary prior to executing.

boot2.c

@@ -22,6 +22,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
 */
 #include "types.h"
+#include "elf.h"
 #include "nand.h"
 #include "memory.h"
 #include "crypto.h"
@@ -49,13 +50,6 @@ typedef struct {
 	u32 padding[3];
 } boot2header;
 
-typedef struct {
-	u32 hdrsize;
-	u32 loadersize;
-	u32 elfsize;
-	u32 argument;
-} ioshdr;
-
 typedef struct {
 	u64 signature;
 	u32 generation;

elf.h

@@ -62,5 +62,12 @@ typedef struct {
 #define PT_SHLIB    5
 #define PT_PHDR     6
 
+typedef struct {
+	u32 hdrsize;
+	u32 loadersize;
+	u32 elfsize;
+	u32 argument;
+} ioshdr;
+
 #endif
 

gecko.c

@@ -29,6 +29,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 #include "string.h"
 #include "utils.h"
 #include "hollywood.h"
+#include "elf.h"
 #include "powerpc.h"
 #include "powerpc_elf.h"
 #include "gecko.h"
@@ -343,11 +344,21 @@ void gecko_timer(void) {
 		return;
 	}
 
+	ioshdr *h;
+
 	// done receiving, handle the command
 	switch (_gecko_cmd) {
 	case GECKO_CMD_BIN_ARM:
-		// skip headerlen, which is stored at u32[0]
-		ipc_enqueue_slow(IPC_DEV_SYS, IPC_SYS_JUMP, 1, ((u32 *) 0x0)[0]);
+		h = (ioshdr *) (u32 *) 0x0;
+
+		if (h->hdrsize != sizeof (ioshdr))
+			goto cleanup;
+
+		if (memcmp("\x7F" "ELF\x01\x02\x01",
+					(void *) (h->hdrsize + h->loadersize), 7))
+			goto cleanup;
+
+		ipc_enqueue_slow(IPC_DEV_SYS, IPC_SYS_JUMP, 1, h->hdrsize);
 		break;
 
 	case GECKO_CMD_BIN_PPC: