From patchwork Sat Jul 21 17:29:57 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mike Frysinger X-Patchwork-Id: 172449 X-Patchwork-Delegate: vapier@gentoo.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 8B59C2C0261 for ; Sun, 22 Jul 2012 03:29:28 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 6926E28077; Sat, 21 Jul 2012 19:29:26 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wYzbfIIqBZ31; Sat, 21 Jul 2012 19:29:26 +0200 (CEST) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id A7D8528086; Sat, 21 Jul 2012 19:29:23 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 0DBC728086 for ; Sat, 21 Jul 2012 19:29:22 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IP1y8l-T+vD7 for ; Sat, 21 Jul 2012 19:29:21 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by theia.denx.de (Postfix) with ESMTPS id 706A328077 for ; Sat, 21 Jul 2012 19:29:20 +0200 (CEST) Received: from localhost.localdomain (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id A99C11B412E; Sat, 21 Jul 2012 17:29:14 +0000 (UTC) From: Mike Frysinger To: u-boot@lists.denx.de Date: Sat, 21 Jul 2012 13:29:57 -0400 Message-Id: <1342891797-28337-1-git-send-email-vapier@gentoo.org> X-Mailer: git-send-email 1.7.9.7 In-Reply-To: <1333463653-31311-1-git-send-email-gerlando.falauto@keymile.com> References: <1333463653-31311-1-git-send-email-gerlando.falauto@keymile.com> Cc: Gerlando Falauto Subject: [U-Boot] [PATCH v2] cmd_sf: add size checking to spi flash commands X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.11 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de From: Gerlando Falauto SPI flash operations inadvertently stretching beyond the flash size will result in a wraparound. This may be particularly dangerous when burning u-boot, because the flash contents will be corrupted rendering the board unusable, without any warning being issued. So add a consistency checking so not to overflow past the flash size. Signed-off-by: Gerlando Falauto Signed-off-by: Mike Frysinger --- v2 - tweaked the printf strings common/cmd_sf.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/common/cmd_sf.c b/common/cmd_sf.c index 9c76464..5ac1d0c 100644 --- a/common/cmd_sf.c +++ b/common/cmd_sf.c @@ -211,6 +211,13 @@ static int do_spi_flash_read_write(int argc, char * const argv[]) if (*argv[3] == 0 || *endp != 0) return -1; + /* Consistency checking */ + if (offset + len > flash->size) { + printf("ERROR: attempting %s past flash size (%#x)\n", + argv[0], flash->size); + return 1; + } + buf = map_physmem(addr, len, MAP_WRBACK); if (!buf) { puts("Failed to map physical memory\n"); @@ -252,6 +259,13 @@ static int do_spi_flash_erase(int argc, char * const argv[]) if (ret != 1) return -1; + /* Consistency checking */ + if (offset + len > flash->size) { + printf("ERROR: attempting %s past flash size (%#x)\n", + argv[0], flash->size); + return 1; + } + ret = spi_flash_erase(flash, offset, len); if (ret) { printf("SPI flash %s failed\n", argv[0]);