From: Antony Pavlov <antonynpavlov@gmail.com>
To: barebox@lists.infradead.org
Cc: Oleksij Rempel <o.rempel@pengutronix.de>
Subject: [RFC 2/2] MIPS: relocate_code: fix barebox image memcpy() size
Date: Tue, 18 Jun 2019 12:38:33 +0300 [thread overview]
Message-ID: <20190618093833.2005-3-antonynpavlov@gmail.com> (raw)
In-Reply-To: <20190618093833.2005-1-antonynpavlov@gmail.com>
In this relocate_code() piece 'length' is greater than 'barebox_image_size':
#define MAX_BSS_SIZE SZ_1M
...
length = barebox_image_size + MAX_BSS_SIZE;
relocaddr = ALIGN_DOWN(ram_size - barebox_image_size, SZ_64K);
...
memcpy((void *)relocaddr, __image_start, length);
so 'ram_size' overflow occurs during memcpy().
Signed-off-by: Antony Pavlov <antonynpavlov@gmail.com>
---
arch/mips/lib/reloc.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/arch/mips/lib/reloc.c b/arch/mips/lib/reloc.c
index 9756d61666..14ba6167dd 100644
--- a/arch/mips/lib/reloc.c
+++ b/arch/mips/lib/reloc.c
@@ -40,8 +40,6 @@
#include <linux/sizes.h>
#include <asm-generic/memory_layout.h>
-#define MAX_BSS_SIZE SZ_1M
-
void main_entry(void *fdt, u32 fdt_size);
void relocate_code(void *fdt, u32 fdt_size, u32 relocaddr);
@@ -127,8 +125,10 @@ void relocate_code(void *fdt, u32 fdt_size, u32 ram_size)
unsigned int type;
long off;
- length = barebox_image_size + MAX_BSS_SIZE;
- relocaddr = ALIGN_DOWN(ram_size - barebox_image_size, SZ_64K);
+ bss_len = (unsigned long)&__bss_stop - (unsigned long)__bss_start;
+
+ length = barebox_image_size + bss_len;
+ relocaddr = ALIGN_DOWN(ram_size - length, SZ_64K);
relocaddr = KSEG0ADDR(relocaddr);
new_stack = relocaddr - MALLOC_SIZE - 16;
@@ -143,7 +143,7 @@ void relocate_code(void *fdt, u32 fdt_size, u32 ram_size)
panic("Mis-aligned relocation\n");
/* Copy Barebox to RAM */
- memcpy((void *)relocaddr, __image_start, length);
+ memcpy((void *)relocaddr, __image_start, barebox_image_size);
/* Now apply relocations to the copy in RAM */
buf = __rel_start;
@@ -162,7 +162,6 @@ void relocate_code(void *fdt, u32 fdt_size, u32 ram_size)
/* Clear the .bss section */
bss_start = (uint8_t *)((unsigned long)__bss_start + off);
- bss_len = (unsigned long)&__bss_stop - (unsigned long)__bss_start;
memset(bss_start, 0, bss_len);
__asm__ __volatile__ (
--
2.20.1
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2019-06-18 9:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-18 9:38 [RFC 0/2] MIPS: fix code relocation routine Antony Pavlov
2019-06-18 9:38 ` [RFC 1/2] MIPS: lib/Makefile: fix whitespaces Antony Pavlov
2019-06-18 9:38 ` Antony Pavlov [this message]
2019-06-18 11:05 ` [RFC 2/2] MIPS: relocate_code: fix barebox image memcpy() size Oleksij Rempel
2019-06-20 14:34 ` [RFC 0/2] MIPS: fix code relocation routine Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190618093833.2005-3-antonynpavlov@gmail.com \
--to=antonynpavlov@gmail.com \
--cc=barebox@lists.infradead.org \
--cc=o.rempel@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.