summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorMarek Vasut <marex@denx.de>2013-05-20 05:01:40 +0200
committerWolfgang Denk <wd@denx.de>2013-06-11 22:11:38 +0200
commit8cf695537f55f6574d2a85ae4ddc5b9c9f0d26b3 (patch)
tree24660f601e13573479bc237d4b1e96d6b0a31314 /doc
parente1208c2fe5e07f9a248cfbf9bbb212aa34ad2806 (diff)
downloadu-boot-imx-8cf695537f55f6574d2a85ae4ddc5b9c9f0d26b3.zip
u-boot-imx-8cf695537f55f6574d2a85ae4ddc5b9c9f0d26b3.tar.gz
u-boot-imx-8cf695537f55f6574d2a85ae4ddc5b9c9f0d26b3.tar.bz2
ppc: ppmc7xx: Fix possible out-of-bound access
The flash_info_t->start[] field is limited in size by CONFIG_SYS_MAX_FLASH_SECT macro, which is set to 19 for this board in the board config file. If we inspect the board/ppmc7xx/flash.c closely, especially the flash_get_size() function, we can notice the "switch ((long)flashtest)" at around line 80 having a few results which will set flash_info_t->sector_count to value higher than 19, for example "case AMD_ID_LV640U" will set it to 128. Notice that right underneath, iteration over flash_info_t->start[] happens and the upper bound for the interation is flash_info_t->sector_count. Now if the sector_count is 128 as it is for the AMD_ID_LV640U case, but the CONFIG_SYS_MAX_FLASH_SECT limiting the start[] is only 19, an access past the start[] array much happen. Moreover, during this iteration, the field is written to, so memory corruption is inevitable. Signed-off-by: Marek Vasut <marex@denx.de> Cc: Wolfgang Denk <wd@denx.de> Cc: Tom Rini <trini@ti.com> Cc: Richard Danter <richard.danter@windriver.com>
Diffstat (limited to 'doc')
0 files changed, 0 insertions, 0 deletions