diff options
author | Marek Vasut <marex@denx.de> | 2013-05-20 05:01:40 +0200 |
---|---|---|
committer | Wolfgang Denk <wd@denx.de> | 2013-06-11 22:11:38 +0200 |
commit | 8cf695537f55f6574d2a85ae4ddc5b9c9f0d26b3 (patch) | |
tree | 24660f601e13573479bc237d4b1e96d6b0a31314 /doc | |
parent | e1208c2fe5e07f9a248cfbf9bbb212aa34ad2806 (diff) | |
download | u-boot-imx-8cf695537f55f6574d2a85ae4ddc5b9c9f0d26b3.zip u-boot-imx-8cf695537f55f6574d2a85ae4ddc5b9c9f0d26b3.tar.gz u-boot-imx-8cf695537f55f6574d2a85ae4ddc5b9c9f0d26b3.tar.bz2 |
ppc: ppmc7xx: Fix possible out-of-bound access
The flash_info_t->start[] field is limited in size by CONFIG_SYS_MAX_FLASH_SECT
macro, which is set to 19 for this board in the board config file. If we inspect
the board/ppmc7xx/flash.c closely, especially the flash_get_size() function, we
can notice the "switch ((long)flashtest)" at around line 80 having a few results
which will set flash_info_t->sector_count to value higher than 19, for example
"case AMD_ID_LV640U" will set it to 128. Notice that right underneath, iteration
over flash_info_t->start[] happens and the upper bound for the interation is
flash_info_t->sector_count. Now if the sector_count is 128 as it is for the
AMD_ID_LV640U case, but the CONFIG_SYS_MAX_FLASH_SECT limiting the start[] is
only 19, an access past the start[] array much happen. Moreover, during this
iteration, the field is written to, so memory corruption is inevitable.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Wolfgang Denk <wd@denx.de>
Cc: Tom Rini <trini@ti.com>
Cc: Richard Danter <richard.danter@windriver.com>
Diffstat (limited to 'doc')
0 files changed, 0 insertions, 0 deletions