[PATCH linux dev-5.3 2/3] fsi: aspeed: Fix buffer overrun for small writes

Andrew Jeffery andrew at aj.id.au
Wed Oct 30 23:37:06 AEDT 2019


One and two byte writes read data beyond the end of the provided
buffer.

Signed-off-by: Andrew Jeffery <andrew at aj.id.au>
---
 drivers/fsi/fsi-master-aspeed.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/drivers/fsi/fsi-master-aspeed.c b/drivers/fsi/fsi-master-aspeed.c
index cb8064cc59c0..6767cd89de36 100644
--- a/drivers/fsi/fsi-master-aspeed.c
+++ b/drivers/fsi/fsi-master-aspeed.c
@@ -331,7 +331,23 @@ static int aspeed_master_write(struct fsi_master *master, int link,
 		return -EINVAL;
 
 	addr += link * FSI_HUB_LINK_SIZE;
-	ret = opb_write(aspeed, fsi_base + addr, *(uint32_t *)val, size);
+
+	switch (size) {
+	case 1:
+		ret = opb_write(aspeed, fsi_base + addr, *(uint8_t *)val,
+				size);
+		break;
+	case 2:
+		ret = opb_write(aspeed, fsi_base + addr, *(uint16_t *)val,
+				size);
+		break;
+	case 4:
+		ret = opb_write(aspeed, fsi_base + addr, *(uint32_t *)val,
+				size);
+		break;
+	default:
+		return -EINVAL;
+	}
 
 	ret = check_errors(aspeed, ret);
 	if (ret)
-- 
2.20.1



More information about the openbmc mailing list