| Message ID | 1369018900-11198-1-git-send-email-marex@denx.de |
|---|---|
| State | Accepted |
| Delegated to: | Wolfgang Denk |
| Headers | show |
Dear Marek Vasut, In message <1369018900-11198-1-git-send-email-marex@denx.de> you wrote: > The flash_info_t->start[] field is limited in size by CONFIG_SYS_MAX_FLASH_SECT > macro, which is set to 19 for this board in the board config file. If we inspect > the board/ppmc7xx/flash.c closely, especially the flash_get_size() function, we > can notice the "switch ((long)flashtest)" at around line 80 having a few results > which will set flash_info_t->sector_count to value higher than 19, for example > "case AMD_ID_LV640U" will set it to 128. Notice that right underneath, iteration > over flash_info_t->start[] happens and the upper bound for the interation is > flash_info_t->sector_count. Now if the sector_count is 128 as it is for the > AMD_ID_LV640U case, but the CONFIG_SYS_MAX_FLASH_SECT limiting the start[] is > only 19, an access past the start[] array much happen. Moreover, during this > iteration, the field is written to, so memory corruption is inevitable. > > Signed-off-by: Marek Vasut <marex@denx.de> > Cc: Wolfgang Denk <wd@denx.de> > Cc: Tom Rini <trini@ti.com> > Cc: Richard Danter <richard.danter@windriver.com> > --- > include/configs/ppmc7xx.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Applied, thanks. Best regards, Wolfgang Denk
diff --git a/include/configs/ppmc7xx.h b/include/configs/ppmc7xx.h index 5cd6609..d4d7f9e 100644 --- a/include/configs/ppmc7xx.h +++ b/include/configs/ppmc7xx.h @@ -233,7 +233,7 @@ #define CONFIG_SYS_FLASH_ERASE_TOUT 250000 #define CONFIG_SYS_FLASH_WRITE_TOUT 5000 #define CONFIG_SYS_MAX_FLASH_BANKS 1 -#define CONFIG_SYS_MAX_FLASH_SECT 19 +#define CONFIG_SYS_MAX_FLASH_SECT 128 /*
The flash_info_t->start[] field is limited in size by CONFIG_SYS_MAX_FLASH_SECT macro, which is set to 19 for this board in the board config file. If we inspect the board/ppmc7xx/flash.c closely, especially the flash_get_size() function, we can notice the "switch ((long)flashtest)" at around line 80 having a few results which will set flash_info_t->sector_count to value higher than 19, for example "case AMD_ID_LV640U" will set it to 128. Notice that right underneath, iteration over flash_info_t->start[] happens and the upper bound for the interation is flash_info_t->sector_count. Now if the sector_count is 128 as it is for the AMD_ID_LV640U case, but the CONFIG_SYS_MAX_FLASH_SECT limiting the start[] is only 19, an access past the start[] array much happen. Moreover, during this iteration, the field is written to, so memory corruption is inevitable. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Wolfgang Denk <wd@denx.de> Cc: Tom Rini <trini@ti.com> Cc: Richard Danter <richard.danter@windriver.com> --- include/configs/ppmc7xx.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)