From patchwork Mon May 20 03:01:40 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Vasut X-Patchwork-Id: 244835 X-Patchwork-Delegate: wd@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id E549D2C007B for ; Mon, 20 May 2013 13:02:15 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id BE01E4A036; Mon, 20 May 2013 05:02:12 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X0U8LTo8HByo; Mon, 20 May 2013 05:02:12 +0200 (CEST) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 1F6014A039; Mon, 20 May 2013 05:02:07 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 1E9A44A039 for ; Mon, 20 May 2013 05:02:00 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4qJMTVgH6kuU for ; Mon, 20 May 2013 05:01:53 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from mail-out.m-online.net (mail-out.m-online.net [212.18.0.10]) by theia.denx.de (Postfix) with ESMTPS id A6C9A4A036 for ; Mon, 20 May 2013 05:01:47 +0200 (CEST) Received: from frontend1.mail.m-online.net (frontend1.mail.intern.m-online.net [192.168.8.180]) by mail-out.m-online.net (Postfix) with ESMTP id 3bDPyb3nKPz3hhTZ; Mon, 20 May 2013 05:01:43 +0200 (CEST) X-Auth-Info: nE2mtKPHRPeOq+CERy9JOhLCCAHfVcKr1CkQusxHo6k= Received: from mashiro.lan (unknown [195.140.253.167]) by smtp-auth.mnet-online.de (Postfix) with ESMTPA id 3bDPyb2Xv3zbbgd; Mon, 20 May 2013 05:01:43 +0200 (CEST) From: Marek Vasut To: u-boot@lists.denx.de Date: Mon, 20 May 2013 05:01:40 +0200 Message-Id: <1369018900-11198-1-git-send-email-marex@denx.de> X-Mailer: git-send-email 1.7.10.4 Cc: Marek Vasut , Tom Rini , Richard Danter Subject: [U-Boot] [PATCH] ppc: ppmc7xx: Fix possible out-of-bound access X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.11 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de The flash_info_t->start[] field is limited in size by CONFIG_SYS_MAX_FLASH_SECT macro, which is set to 19 for this board in the board config file. If we inspect the board/ppmc7xx/flash.c closely, especially the flash_get_size() function, we can notice the "switch ((long)flashtest)" at around line 80 having a few results which will set flash_info_t->sector_count to value higher than 19, for example "case AMD_ID_LV640U" will set it to 128. Notice that right underneath, iteration over flash_info_t->start[] happens and the upper bound for the interation is flash_info_t->sector_count. Now if the sector_count is 128 as it is for the AMD_ID_LV640U case, but the CONFIG_SYS_MAX_FLASH_SECT limiting the start[] is only 19, an access past the start[] array much happen. Moreover, during this iteration, the field is written to, so memory corruption is inevitable. Signed-off-by: Marek Vasut Cc: Wolfgang Denk Cc: Tom Rini Cc: Richard Danter --- include/configs/ppmc7xx.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/configs/ppmc7xx.h b/include/configs/ppmc7xx.h index 5cd6609..d4d7f9e 100644 --- a/include/configs/ppmc7xx.h +++ b/include/configs/ppmc7xx.h @@ -233,7 +233,7 @@ #define CONFIG_SYS_FLASH_ERASE_TOUT 250000 #define CONFIG_SYS_FLASH_WRITE_TOUT 5000 #define CONFIG_SYS_MAX_FLASH_BANKS 1 -#define CONFIG_SYS_MAX_FLASH_SECT 19 +#define CONFIG_SYS_MAX_FLASH_SECT 128 /*