From patchwork Tue Feb 23 02:30:58 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Wagner Popov dos Santos <wpopov@gmail.com>
X-Patchwork-Id: 1443376
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20161025 header.b=OtDMWK4b;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Dl38y32Qsz9sSC
	for <incoming@patchwork.ozlabs.org>; Tue, 23 Feb 2021 13:36:50 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 21F62829CF;
	Tue, 23 Feb 2021 03:36:25 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.b="OtDMWK4b";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id CB0E5829B6; Tue, 23 Feb 2021 03:31:05 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,SPF_HELO_NONE autolearn=ham
 autolearn_force=no version=3.4.2
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com
 [IPv6:2607:f8b0:4864:20::72e])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 57D3282981
 for <u-boot@lists.denx.de>; Tue, 23 Feb 2021 03:31:02 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=wpopov@gmail.com
Received: by mail-qk1-x72e.google.com with SMTP id q85so14856896qke.8
 for <u-boot@lists.denx.de>; Mon, 22 Feb 2021 18:31:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=message-id:subject:from:to:date:user-agent:mime-version
 :content-transfer-encoding;
 bh=UPCMiyiXkhIEfdLnpGn4SjSYMHGYLCFDqE9oIcbcgDY=;
 b=OtDMWK4boDmXavS4gzYG98MdNhMwuPErZTjJ+2LFD+l7uEbIvTjOw04NzReDh8eBST
 T9Gmn7Jlp15aVyUExPQPSBrdxocVA4P0JynCDGY9WYnlifw4pgredJeVhsWCnCvP+Llr
 29wNtXHZGyLcNnVeX3WiX/x/rf1KVGZYQLvB7IA9zBYaeyS5C1eCRKF4q86F1Xo9bkcY
 xTGprCYmS4l61fGJqJMcbShSH3lNWI5POelrth7X6rHbeoadTUnw0OjCZawpW1A4llsM
 Lea12K3WYt1RNzBYjGGR49NRuO1OECUD6FrNrThdpmZfkrOacl6sQaji+1uKxKNePtyd
 hjAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:message-id:subject:from:to:date:user-agent
 :mime-version:content-transfer-encoding;
 bh=UPCMiyiXkhIEfdLnpGn4SjSYMHGYLCFDqE9oIcbcgDY=;
 b=AqIZJVgMD2yb26TDPeJBlpwXt8i3w7VA4tnQWRib78kAkS2adxFbvDFNJgdyjxeJ3q
 eKc06N3z4zxVB3JnmqVOVyz6WyUtoSlz8qkVzQY82qUiuk6sra6MON9CBSp2HDJ0SMvT
 FGpfcpl1ycsN79/hkcsEzYPmRkm2fLiGO4Oo+xktZPK3ZOjweDlzDhr8Svad03GEcmex
 otz+MSpjrFXRNqvXX7abHGiysGk/n6Gb5fK5SdVlza1v6qBwhgilY7pLH1Id8wjzeURO
 WAVwvziiOu304w9NOOYkHLgBBFC9Z5zTJH76+rjcweTCJsObbEJ3ATYADMvnVv2ikvcb
 nVNQ==
X-Gm-Message-State: AOAM533hSHgLOVpF/fWnCzASXMD2lhkwiczeXXp8apQb/MtcA8jbIluQ
 FgjLho6z57XX9ngWjUuey5YpNV4MUjI=
X-Google-Smtp-Source: 
 ABdhPJy7O6fu5MG/c3Zke5MgMv/8hw/rt0OFK7hUNSVjZtNaQjUI6a2K+4oXxsjCIFUzbwCSvmhZFQ==
X-Received: by 2002:a37:9c94:: with SMTP id
 f142mr24465643qke.106.1614047460834;
 Mon, 22 Feb 2021 18:31:00 -0800 (PST)
Received: from [192.168.0.6] ([189.6.26.247])
 by smtp.gmail.com with ESMTPSA id o3sm13402263qke.132.2021.02.22.18.30.59
 for <u-boot@lists.denx.de>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 22 Feb 2021 18:31:00 -0800 (PST)
Message-ID: <518786c46f01890819e44f06647de5bf3c47fe05.camel@gmail.com>
Subject: [PATCH] JFFS2: fix the reading address over nand's limit
From: Wagner Popov dos Santos <wpopov@gmail.com>
To: u-boot@lists.denx.de
Date: Mon, 22 Feb 2021 23:30:58 -0300
User-Agent: Evolution 3.30.5-1.1 
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 23 Feb 2021 03:36:17 +0100
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de
X-Virus-Status: Clean

Fixes address violation in functions read_nand_cached() and
read_onenand_cached(). This happens because these functions
try to read a fixed amount
of data even when the offset+length
is above the nand's limit.

Signed-off-by: Wagner Popov dos Santos <wpopov@gmail.com>
---
 fs/jffs2/jffs2_1pass.c | 37 +++++++++++++++++++++++++++----------
 1 file changed, 27 insertions(+), 10 deletions(-)

diff --git a/fs/jffs2/jffs2_1pass.c b/fs/jffs2/jffs2_1pass.c
index a98745c50e..b39943671c 100644
--- a/fs/jffs2/jffs2_1pass.c
+++ b/fs/jffs2/jffs2_1pass.c
@@ -180,6 +180,7 @@ static int read_nand_cached(u32 off, u32 size, u_char *buf)
 	struct mtd_info *mtd;
 	u32 bytes_read = 0;
 	size_t retlen;
+	size_t toread;
 	int cpy_bytes;
 
 	mtd = get_nand_dev_by_index(id->num);
@@ -187,8 +188,12 @@ static int read_nand_cached(u32 off, u32 size, u_char *buf)
 		return -1;
 
 	while (bytes_read < size) {
+		retlen = NAND_CACHE_SIZE;
+		if( nand_cache_off + retlen > mtd->size )
+			retlen = mtd->size - nand_cache_off;
+
 		if ((off + bytes_read < nand_cache_off) ||
-		    (off + bytes_read >= nand_cache_off+NAND_CACHE_SIZE)) {
+		    (off + bytes_read >= nand_cache_off + retlen)) {
 			nand_cache_off = (off + bytes_read) & NAND_PAGE_MASK;
 			if (!nand_cache) {
 				/* This memory never gets freed but 'cause
@@ -201,16 +206,20 @@ static int read_nand_cached(u32 off, u32 size, u_char *buf)
 				}
 			}
 
-			retlen = NAND_CACHE_SIZE;
+			toread = NAND_CACHE_SIZE;
+			if( nand_cache_off + toread > mtd->size )
+				toread = mtd->size - nand_cache_off;
+
+			retlen = toread;
 			if (nand_read(mtd, nand_cache_off,
 				      &retlen, nand_cache) < 0 ||
-					retlen != NAND_CACHE_SIZE) {
+					retlen != toread) {
 				printf("read_nand_cached: error reading nand off %#x size %d bytes\n",
-						nand_cache_off, NAND_CACHE_SIZE);
+						nand_cache_off, toread);
 				return -1;
 			}
 		}
-		cpy_bytes = nand_cache_off + NAND_CACHE_SIZE - (off + bytes_read);
+		cpy_bytes = nand_cache_off + retlen - (off + bytes_read);
 		if (cpy_bytes > size - bytes_read)
 			cpy_bytes = size - bytes_read;
 		memcpy(buf + bytes_read,
@@ -283,11 +292,16 @@ static int read_onenand_cached(u32 off, u32 size, u_char *buf)
 {
 	u32 bytes_read = 0;
 	size_t retlen;
+	size_t toread;
 	int cpy_bytes;
 
 	while (bytes_read < size) {
+		retlen = ONENAND_CACHE_SIZE;
+		if( onenand_cache_off + retlen > onenand_mtd.size )
+			retlen = onenand_mtd.size - onenand_cache_off;
+
 		if ((off + bytes_read < onenand_cache_off) ||
-		    (off + bytes_read >= onenand_cache_off + ONENAND_CACHE_SIZE)) {
+		    (off + bytes_read >= onenand_cache_off + retlen)) {
 			onenand_cache_off = (off + bytes_read) & ONENAND_PAGE_MASK;
 			if (!onenand_cache) {
 				/* This memory never gets freed but 'cause
@@ -300,16 +314,19 @@ static int read_onenand_cached(u32 off, u32 size, u_char *buf)
 				}
 			}
 
-			retlen = ONENAND_CACHE_SIZE;
+			toread = ONENAND_CACHE_SIZE;
+			if( onenand_cache_off + toread > onenand_mtd.size )
+				toread = onenand_mtd.size - onenand_cache_off;
+			retlen = toread;
 			if (onenand_read(&onenand_mtd, onenand_cache_off, retlen,
 						&retlen, onenand_cache) < 0 ||
-					retlen != ONENAND_CACHE_SIZE) {
+					retlen != toread) {
 				printf("read_onenand_cached: error reading nand off %#x size %d bytes\n",
-					onenand_cache_off, ONENAND_CACHE_SIZE);
+					onenand_cache_off, toread);
 				return -1;
 			}
 		}
-		cpy_bytes = onenand_cache_off + ONENAND_CACHE_SIZE - (off + bytes_read);
+		cpy_bytes = onenand_cache_off + retlen - (off + bytes_read);
 		if (cpy_bytes > size - bytes_read)
 			cpy_bytes = size - bytes_read;
 		memcpy(buf + bytes_read,