Patchwork [U-Boot] ppc: ppmc7xx: Fix possible out-of-bound access

login
register
mail settings
Submitter Marek Vasut
Date May 20, 2013, 3:01 a.m.
Message ID <1369018900-11198-1-git-send-email-marex@denx.de>
Download mbox | patch
Permalink /patch/244835/
State Accepted
Delegated to: Wolfgang Denk
Headers show

Comments

Marek Vasut - May 20, 2013, 3:01 a.m.
The flash_info_t->start[] field is limited in size by CONFIG_SYS_MAX_FLASH_SECT
macro, which is set to 19 for this board in the board config file. If we inspect
the board/ppmc7xx/flash.c closely, especially the flash_get_size() function, we
can notice the "switch ((long)flashtest)" at around line 80 having a few results
which will set flash_info_t->sector_count to value higher than 19, for example
"case AMD_ID_LV640U" will set it to 128. Notice that right underneath, iteration
over flash_info_t->start[] happens and the upper bound for the interation is
flash_info_t->sector_count. Now if the sector_count is 128 as it is for the
AMD_ID_LV640U case, but the CONFIG_SYS_MAX_FLASH_SECT limiting the start[] is
only 19, an access past the start[] array much happen. Moreover, during this
iteration, the field is written to, so memory corruption is inevitable.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Wolfgang Denk <wd@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Richard Danter <richard.danter@windriver.com>
---
 include/configs/ppmc7xx.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Wolfgang Denk - June 11, 2013, 8:10 p.m.
Dear Marek Vasut,

In message <1369018900-11198-1-git-send-email-marex@denx.de> you wrote:
> The flash_info_t->start[] field is limited in size by CONFIG_SYS_MAX_FLASH_SECT
> macro, which is set to 19 for this board in the board config file. If we inspect
> the board/ppmc7xx/flash.c closely, especially the flash_get_size() function, we
> can notice the "switch ((long)flashtest)" at around line 80 having a few results
> which will set flash_info_t->sector_count to value higher than 19, for example
> "case AMD_ID_LV640U" will set it to 128. Notice that right underneath, iteration
> over flash_info_t->start[] happens and the upper bound for the interation is
> flash_info_t->sector_count. Now if the sector_count is 128 as it is for the
> AMD_ID_LV640U case, but the CONFIG_SYS_MAX_FLASH_SECT limiting the start[] is
> only 19, an access past the start[] array much happen. Moreover, during this
> iteration, the field is written to, so memory corruption is inevitable.
> 
> Signed-off-by: Marek Vasut <marex@denx.de>
> Cc: Wolfgang Denk <wd@denx.de>
> Cc: Tom Rini <trini@ti.com>
> Cc: Richard Danter <richard.danter@windriver.com>
> ---
>  include/configs/ppmc7xx.h |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied, thanks.

Best regards,

Wolfgang Denk

Patch

diff --git a/include/configs/ppmc7xx.h b/include/configs/ppmc7xx.h
index 5cd6609..d4d7f9e 100644
--- a/include/configs/ppmc7xx.h
+++ b/include/configs/ppmc7xx.h
@@ -233,7 +233,7 @@ 
 #define CONFIG_SYS_FLASH_ERASE_TOUT	250000
 #define CONFIG_SYS_FLASH_WRITE_TOUT	5000
 #define CONFIG_SYS_MAX_FLASH_BANKS	1
-#define CONFIG_SYS_MAX_FLASH_SECT	19
+#define CONFIG_SYS_MAX_FLASH_SECT	128
 
 
 /*