* [PATCH v2] ieee1275: prevent buffer over-read
@ 2016-02-15 18:53 Eric Snowberg
2016-02-22 7:02 ` Andrei Borzenkov
0 siblings, 1 reply; 2+ messages in thread
From: Eric Snowberg @ 2016-02-15 18:53 UTC (permalink / raw)
To: grub-devel; +Cc: Eric Snowberg
Prevent buffer over-read in grub_machine_mmap_iterate. This was
causing phys_base from being calculated properly. This then
caused the wrong value to be placed in ramdisk_image within
struct linux_hdrs. Which prevented the ramdisk from loading on
boot.
Newer SPARC systems contain more than 8 available memory entries.
For example on a T5-8 with 2TB of memory, the memory layout could
look like this:
T5-8 Memory
reg 00000000 30000000 0000003f b0000000
00000800 00000000 00000040 00000000
00001000 00000000 00000040 00000000
00001800 00000000 00000040 00000000
00002000 00000000 00000040 00000000
00002800 00000000 00000040 00000000
00003000 00000000 00000040 00000000
00003800 00000000 00000040 00000000
available 00003800 00000000 0000003f ffcae000
00003000 00000000 00000040 00000000
00002800 00000000 00000040 00000000
00002000 00000000 00000040 00000000
00001800 00000000 00000040 00000000
00001000 00000000 00000040 00000000
00000800 00000000 00000040 00000000
00000000 70000000 0000003f 70000000
00000000 6eef8000 00000000 00002000
00000000 30400000 00000000 3eaf6000
name memory
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
grub-core/kern/ieee1275/mmap.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/grub-core/kern/ieee1275/mmap.c b/grub-core/kern/ieee1275/mmap.c
index 911bb00..d7f6a1b 100644
--- a/grub-core/kern/ieee1275/mmap.c
+++ b/grub-core/kern/ieee1275/mmap.c
@@ -25,7 +25,7 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
{
grub_ieee1275_phandle_t root;
grub_ieee1275_phandle_t memory;
- grub_uint32_t available[32];
+ grub_uint32_t available[128];
grub_ssize_t available_size;
grub_uint32_t address_cells = 1;
grub_uint32_t size_cells = 1;
@@ -49,6 +49,9 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
sizeof available, &available_size))
return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
"couldn't examine /memory/available property");
+ if (available_size > sizeof (available))
+ return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
+ "/memory response buffer exceeded");
if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_BROKEN_ADDRESS_CELLS))
{
--
1.7.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH v2] ieee1275: prevent buffer over-read
2016-02-15 18:53 [PATCH v2] ieee1275: prevent buffer over-read Eric Snowberg
@ 2016-02-22 7:02 ` Andrei Borzenkov
0 siblings, 0 replies; 2+ messages in thread
From: Andrei Borzenkov @ 2016-02-22 7:02 UTC (permalink / raw)
To: grub-devel
15.02.2016 21:53, Eric Snowberg пишет:
> Prevent buffer over-read in grub_machine_mmap_iterate. This was
> causing phys_base from being calculated properly. This then
> caused the wrong value to be placed in ramdisk_image within
> struct linux_hdrs. Which prevented the ramdisk from loading on
> boot.
>
Applied. Thanks!
> Newer SPARC systems contain more than 8 available memory entries.
>
> For example on a T5-8 with 2TB of memory, the memory layout could
> look like this:
>
> T5-8 Memory
> reg 00000000 30000000 0000003f b0000000
> 00000800 00000000 00000040 00000000
> 00001000 00000000 00000040 00000000
> 00001800 00000000 00000040 00000000
> 00002000 00000000 00000040 00000000
> 00002800 00000000 00000040 00000000
> 00003000 00000000 00000040 00000000
> 00003800 00000000 00000040 00000000
> available 00003800 00000000 0000003f ffcae000
> 00003000 00000000 00000040 00000000
> 00002800 00000000 00000040 00000000
> 00002000 00000000 00000040 00000000
> 00001800 00000000 00000040 00000000
> 00001000 00000000 00000040 00000000
> 00000800 00000000 00000040 00000000
> 00000000 70000000 0000003f 70000000
> 00000000 6eef8000 00000000 00002000
> 00000000 30400000 00000000 3eaf6000
> name memory
>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
> grub-core/kern/ieee1275/mmap.c | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/grub-core/kern/ieee1275/mmap.c b/grub-core/kern/ieee1275/mmap.c
> index 911bb00..d7f6a1b 100644
> --- a/grub-core/kern/ieee1275/mmap.c
> +++ b/grub-core/kern/ieee1275/mmap.c
> @@ -25,7 +25,7 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
> {
> grub_ieee1275_phandle_t root;
> grub_ieee1275_phandle_t memory;
> - grub_uint32_t available[32];
> + grub_uint32_t available[128];
> grub_ssize_t available_size;
> grub_uint32_t address_cells = 1;
> grub_uint32_t size_cells = 1;
> @@ -49,6 +49,9 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
> sizeof available, &available_size))
> return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
> "couldn't examine /memory/available property");
> + if (available_size > sizeof (available))
> + return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
> + "/memory response buffer exceeded");
>
> if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_BROKEN_ADDRESS_CELLS))
> {
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-02-22 7:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-15 18:53 [PATCH v2] ieee1275: prevent buffer over-read Eric Snowberg
2016-02-22 7:02 ` Andrei Borzenkov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).