From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.71)
	id 1aVOHc-0003T7-MM
	for mharc-grub-devel@gnu.org; Mon, 15 Feb 2016 13:54:04 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55384)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eric.snowberg@oracle.com>) id 1aVOHZ-0003Rk-QY
	for grub-devel@gnu.org; Mon, 15 Feb 2016 13:54:02 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eric.snowberg@oracle.com>) id 1aVOHW-0005Wn-I9
	for grub-devel@gnu.org; Mon, 15 Feb 2016 13:54:01 -0500
Received: from userp1040.oracle.com ([156.151.31.81]:26566)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eric.snowberg@oracle.com>) id 1aVOHW-0005Wf-Ah
	for grub-devel@gnu.org; Mon, 15 Feb 2016 13:53:58 -0500
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])
	by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with
	ESMTP id u1FIrtbD029206
	(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <grub-devel@gnu.org>; Mon, 15 Feb 2016 18:53:55 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235])
	by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id u1FIrswX003375
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <grub-devel@gnu.org>; Mon, 15 Feb 2016 18:53:55 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25])
	by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u1FIrsEb026712
	for <grub-devel@gnu.org>; Mon, 15 Feb 2016 18:53:54 GMT
Received: from ca-qasparc20.us.oracle.com (/10.147.24.73)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Mon, 15 Feb 2016 10:53:54 -0800
From: Eric Snowberg <eric.snowberg@oracle.com>
To: grub-devel@gnu.org
Subject: [PATCH v2] ieee1275: prevent buffer over-read
Date: Mon, 15 Feb 2016 10:53:45 -0800
Message-Id: <1455562425-87254-1-git-send-email-eric.snowberg@oracle.com>
X-Mailer: git-send-email 1.7.1
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic]
X-Received-From: 156.151.31.81
Cc: Eric Snowberg <eric.snowberg@oracle.com>
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: The development of GNU GRUB <grub-devel@gnu.org>
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2016 18:54:02 -0000

Prevent buffer over-read in grub_machine_mmap_iterate. This was
causing phys_base from being calculated properly. This then
caused the wrong value to be placed in ramdisk_image within
struct linux_hdrs. Which prevented the ramdisk from loading on
boot.

Newer SPARC systems contain more than 8 available memory entries.

For example on a T5-8 with 2TB of memory, the memory layout could
look like this:

T5-8 Memory
reg                      00000000 30000000 0000003f b0000000
                         00000800 00000000 00000040 00000000
                         00001000 00000000 00000040 00000000
                         00001800 00000000 00000040 00000000
                         00002000 00000000 00000040 00000000
                         00002800 00000000 00000040 00000000
                         00003000 00000000 00000040 00000000
                         00003800 00000000 00000040 00000000
available                00003800 00000000 0000003f ffcae000
                         00003000 00000000 00000040 00000000
                         00002800 00000000 00000040 00000000
                         00002000 00000000 00000040 00000000
                         00001800 00000000 00000040 00000000
                         00001000 00000000 00000040 00000000
                         00000800 00000000 00000040 00000000
                         00000000 70000000 0000003f 70000000
                         00000000 6eef8000 00000000 00002000
                         00000000 30400000 00000000 3eaf6000
name                     memory

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 grub-core/kern/ieee1275/mmap.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/grub-core/kern/ieee1275/mmap.c b/grub-core/kern/ieee1275/mmap.c
index 911bb00..d7f6a1b 100644
--- a/grub-core/kern/ieee1275/mmap.c
+++ b/grub-core/kern/ieee1275/mmap.c
@@ -25,7 +25,7 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
 {
   grub_ieee1275_phandle_t root;
   grub_ieee1275_phandle_t memory;
-  grub_uint32_t available[32];
+  grub_uint32_t available[128];
   grub_ssize_t available_size;
   grub_uint32_t address_cells = 1;
   grub_uint32_t size_cells = 1;
@@ -49,6 +49,9 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
 					  sizeof available, &available_size))
     return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
 		       "couldn't examine /memory/available property");
+  if (available_size > sizeof (available))
+    return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
+                       "/memory response buffer exceeded");
 
   if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_BROKEN_ADDRESS_CELLS))
     {
-- 
1.7.1