Despite that /dev/mem has a size of 0, the check preventing out-of-bounds access works for /dev/mem as well, because of unsigned wrap around. Corner case is when offset is zero. There will be no wrap around and
count = min(count, 0 - 0) = 0 Leading to unexpected behavior with e.g. memcmp -s /dev/mem 0 on systems without MMU. Fix this. Signed-off-by: Ahmad Fatoum <[email protected]> --- fs/devfs-core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/devfs-core.c b/fs/devfs-core.c index 3715e543e632..2d016e0e4861 100644 --- a/fs/devfs-core.c +++ b/fs/devfs-core.c @@ -573,7 +573,10 @@ ssize_t mem_copy(struct device_d *dev, void *dst, const void *src, if (!dev || dev->num_resources < 1) return -1; - count = size = min(count, resource_size(&dev->resource[0]) - offset); + if (resource_size(&dev->resource[0]) > 0 || offset != 0) + count = min(count, resource_size(&dev->resource[0]) - offset); + + size = count; /* no rwsize specification given. Do whatever memcpy likes best */ if (!rwsize) { -- 2.33.0 _______________________________________________ barebox mailing list [email protected] http://lists.infradead.org/mailman/listinfo/barebox
