[U-Boot] cmd_sf: add size checking to spi flash commands

Message ID	1333463653-31311-1-git-send-email-gerlando.falauto@keymile.com
State	Accepted
Delegated to:	Mike Frysinger
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Gerlando Falauto <gerlando.falauto@keymile.com> To: u-boot@lists.denx.de Date: Tue, 3 Apr 2012 16:34:13 +0200 Message-Id: <1333463653-31311-1-git-send-email-gerlando.falauto@keymile.com> In-Reply-To: <4F5F9103.1030807@keymile.com> References: <4F5F9103.1030807@keymile.com> Cc: Valentin Longchamp <valentin.longchamp@keymile.com>, Holger Brunck <holger.brunck@keymile.com>, Gerlando Falauto <gerlando.falauto@keymile.com> Subject: [U-Boot] [PATCH] cmd_sf: add size checking to spi flash commands Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de

Message ID

1333463653-31311-1-git-send-email-gerlando.falauto@keymile.com

State

Accepted

Delegated to:

Mike Frysinger

Headers

From: Gerlando Falauto <gerlando.falauto@keymile.com>
To: u-boot@lists.denx.de
Date: Tue,  3 Apr 2012 16:34:13 +0200
Message-Id: <1333463653-31311-1-git-send-email-gerlando.falauto@keymile.com>
In-Reply-To: <4F5F9103.1030807@keymile.com>
References: <4F5F9103.1030807@keymile.com>
Cc: Valentin Longchamp <valentin.longchamp@keymile.com>,
	Holger Brunck <holger.brunck@keymile.com>,
	Gerlando Falauto <gerlando.falauto@keymile.com>
Subject: [U-Boot] [PATCH] cmd_sf: add size checking to spi flash commands
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: u-boot-bounces@lists.denx.de
Errors-To: u-boot-bounces@lists.denx.de

Commit Message

Gerlando Falauto April 3, 2012, 2:34 p.m. UTC

SPI flash operations inadvertently stretching beyond the flash size will
result in a wraparound. This may be particularly dangerous when burning
u-boot, because the flash contents will be corrupted rendering the board
unusable, without any warning being issued.
So add a consistency checking so not to overflow past the flash size.

Signed-off-by: Gerlando Falauto <gerlando.falauto@keymile.com>
Cc: Valentin Longchamp <valentin.longchamp@keymile.com>
Cc: Holger Brunck <holger.brunck@keymile.com>
---
 common/cmd_sf.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)

Comments

Mike Frysinger April 3, 2012, 7:31 p.m. UTC | #1

On Tue, Apr 3, 2012 at 07:34, Gerlando Falauto wrote:
> SPI flash operations inadvertently stretching beyond the flash size will
> result in a wraparound. This may be particularly dangerous when burning
> u-boot, because the flash contents will be corrupted rendering the board
> unusable, without any warning being issued.
> So add a consistency checking so not to overflow past the flash size.

looks OK to me.  i'll test it locally and merge it into my SF branch.  cheers!
-mike

diff --git a/common/cmd_sf.c b/common/cmd_sf.c
index 9c76464..3cfedde 100644
--- a/common/cmd_sf.c
+++ b/common/cmd_sf.c
@@ -211,6 +211,13 @@  static int do_spi_flash_read_write(int argc, char * const argv[])
 	if (*argv[3] == 0 || *endp != 0)
 		return -1;
 
+	/* Consistency checking */
+	if (offset + len > flash->size) {
+		printf("ERROR: Attempting SPI flash %s past flash size (0x%x)\n",
+			argv[0], flash->size);
+		return 1;
+	}
+
 	buf = map_physmem(addr, len, MAP_WRBACK);
 	if (!buf) {
 		puts("Failed to map physical memory\n");
@@ -252,6 +259,13 @@  static int do_spi_flash_erase(int argc, char * const argv[])
 	if (ret != 1)
 		return -1;
 
+	/* Consistency checking */
+	if (offset + len > flash->size) {
+		printf("ERROR: Attempting SPI flash %s past flash size (0x%x)\n",
+			argv[0], flash->size);
+		return 1;
+	}
+
 	ret = spi_flash_erase(flash, offset, len);
 	if (ret) {
 		printf("SPI flash %s failed\n", argv[0]);

[U-Boot] cmd_sf: add size checking to spi flash commands

Commit Message

Comments

Patch