From: Rob Herring <robherring2@gmail.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH] env: fix potential stack overflow in environment functions
Date: Fri, 22 Mar 2013 17:56:32 -0500 [thread overview]
Message-ID: <514CE1A0.7080907@gmail.com> (raw)
In-Reply-To: <20130322220426.EF69A2014CE@gemini.denx.de>
On 03/22/2013 05:04 PM, Wolfgang Denk wrote:
> Dear Rob Herring,
>
> In message <1363987581-28050-1-git-send-email-robherring2@gmail.com> you wrote:
>>
>> Most of the various environment functions create CONFIG_ENV_SIZE buffers on
>> the stack. At least on ARM and PPC which have 4KB stacks, this can overflow
>> the stack if we have large environment sizes. So move all the buffers off
>> the stack to static buffers.
>
> Could you please explain what exactly you mean with this "have 4KB
> stacks" statement?
Well, that's what ARM and PPC have for their stack size. This is not the
first stack overflow I've fixed. The last was caused by having a large
printf buffer size:
commit fcfa696b3a354ab1e16601683c61f671487aded7
Author: Rob Herring <rob.herring@calxeda.com>
Date: Thu Jun 28 03:54:11 2012 +0000
ARM: increase lmb stack space reservation to 4KB
The bootm initrd image copy to ram can collide with the stack in cases
where the print buffer size is large (i.e. 1K). The result is
intermittent
initrd decompression errors depending on the initrd size MOD 4KB since
the initrd start address is 4KB aligned.
Cc: Albert ARIBAUD <albert.u.boot@aribaud.net>
Signed-off-by: Rob Herring <rob.herring@calxeda.com>
> Also, why do you think there is more space for data then for stack?
Because in "normal" systems that is the case. It is reasonable to expect
that a 1MB allocation would be possible for static data or malloc, but
not for a stack. I could have just increased the stack size, but that is
a fragile solution.
> Has this patch been tested on any actual hardware?
Yes. This fixes a problem on actual h/w (highbank). The problem was
introduced with only an env change.
> I would expect problems, as this code is running before relocation,
> i. e. when the data segment is not writable?
env_relocate is called by board_init_r at least on ARM which is after
relocation, right?
Rob
next prev parent reply other threads:[~2013-03-22 22:56 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-22 21:26 [U-Boot] [PATCH] env: fix potential stack overflow in environment functions Rob Herring
2013-03-22 22:04 ` Wolfgang Denk
2013-03-22 22:56 ` Rob Herring [this message]
2013-03-23 0:29 ` Wolfgang Denk
2013-04-03 15:30 ` [U-Boot] " Tom Rini
2013-04-05 11:17 ` Wolfgang Denk
2013-04-05 15:26 ` Rob Herring
2013-04-05 16:15 ` Wolfgang Denk
2013-04-05 16:21 ` Wolfgang Denk
2013-04-05 16:24 ` Wolfgang Denk
2013-04-05 16:40 ` Rob Herring
2013-04-05 17:13 ` Wolfgang Denk
2013-04-05 18:16 ` Rob Herring
2013-04-05 18:47 ` Wolfgang Denk
2013-04-05 23:17 ` Scott Wood
2013-04-06 7:06 ` Wolfgang Denk
2013-04-05 18:49 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=514CE1A0.7080907@gmail.com \
--to=robherring2@gmail.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox