[Skiboot] [PATCH] pflash: fix buffer overflow: fl_total_size uint32_t not uint64_t

Stewart Smith stewart at linux.vnet.ibm.com
Thu Sep 1 15:46:47 AEST 2016


This ends up being harmless bug due to memory layout.

$ ./pflash -F ~/op-build/output/images/firestone.pnor -i
==31829==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000062f0
80 at pc 0x410226 bp 0x7ffedba9c950 sp 0x7ffedba9c948
WRITE of size 8 at 0x00000062f080 thread T0
    #0 0x410225 in file_get_info (/home/stewart/skiboot/external/pflash/pflash+0
x410225)
    #1 0x40d832 in blocklevel_get_info (/home/stewart/skiboot/external/pflash/pf
lash+0x40d832)
    #2 0x401f0c in main (/home/stewart/skiboot/external/pflash/pflash+0x401f0c)
    #3 0x7fc77439ab44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21
b44)
    #4 0x403884 (/home/stewart/skiboot/external/pflash/pflash+0x403884)

Signed-off-by: Stewart Smith <stewart at linux.vnet.ibm.com>
---
 external/pflash/pflash.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/external/pflash/pflash.c b/external/pflash/pflash.c
index 2700046..8570acd 100644
--- a/external/pflash/pflash.c
+++ b/external/pflash/pflash.c
@@ -53,7 +53,8 @@ static uint8_t file_buf[FILE_BUF_SIZE] __aligned(0x1000);
 
 static struct blocklevel_device *bl;
 static struct ffs_handle	*ffsh;
-static uint32_t			fl_total_size, fl_erase_granule;
+static uint64_t			fl_total_size;
+static uint32_t			fl_erase_granule;
 static const char		*fl_name;
 static int32_t			ffs_index = -1;
 
-- 
2.7.4



More information about the Skiboot mailing list