From patchwork Wed Jan 20 08:37:39 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Purna Chandra Mandal X-Patchwork-Id: 570584 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 19851140AD9 for ; Wed, 20 Jan 2016 19:39:37 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 3832F4BB94; Wed, 20 Jan 2016 09:39:33 +0100 (CET) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b6MTNqvYf6LE; Wed, 20 Jan 2016 09:39:32 +0100 (CET) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id E4C8C4BB2D; Wed, 20 Jan 2016 09:39:31 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id B25834BB28 for ; Wed, 20 Jan 2016 09:39:06 +0100 (CET) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3jkIvurxwlwO for ; Wed, 20 Jan 2016 09:39:06 +0100 (CET) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from email.microchip.com (exsmtp03.microchip.com [198.175.253.49]) by theia.denx.de (Postfix) with ESMTPS id 213754BB25 for ; Wed, 20 Jan 2016 09:39:01 +0100 (CET) Received: from mx.microchip.com (10.10.76.4) by chn-sv-exch03.mchp-main.com (10.10.76.49) with Microsoft SMTP Server id 14.3.181.6; Wed, 20 Jan 2016 01:38:57 -0700 Received: by mx.microchip.com (sSMTP sendmail emulation); Wed, 20 Jan 2016 14:07:41 +0530 From: Purna Chandra Mandal To: Date: Wed, 20 Jan 2016 14:07:39 +0530 Message-ID: <1453279059-10967-1-git-send-email-purna.mandal@microchip.com> X-Mailer: git-send-email 1.8.3.1 MIME-Version: 1.0 Cc: Bernhard Nortmann , Joe Hershberger , Purna Chandra Mandal , Julius Werner , Karl Apsite Subject: [U-Boot] [PATCH] bootm: fix size arg of flush_cache() in bootm_load_os(). X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.15 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Variable _load_end_ points to end address of uncompressed buffer (*not* uncomress_buffer_end / sizeof(ulong)), so multipling uncompressed size with sizeof(ulong) is grossly incorrect in flush_cache(). It might lead to access of address beyond valid memory range and hang the CPU. Tested on MIPS architecture by using compressed(gzip, lzma) and uncompressed uImage. Signed-off-by: Purna Chandra Mandal Reviewed-by: Simon Glass Reviewed-by: Daniel Schwierzeck --- common/bootm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/bootm.c b/common/bootm.c index 58936ca..99d574d 100644 --- a/common/bootm.c +++ b/common/bootm.c @@ -435,7 +435,7 @@ static int bootm_load_os(bootm_headers_t *images, unsigned long *load_end, bootstage_error(BOOTSTAGE_ID_DECOMP_IMAGE); return err; } - flush_cache(load, (*load_end - load) * sizeof(ulong)); + flush_cache(load, *load_end - load); debug(" kernel loaded at 0x%08lx, end = 0x%08lx\n", load, *load_end); bootstage_mark(BOOTSTAGE_ID_KERNEL_LOADED);