On Sat, 01 Feb 2014 11:56:22 +0600 [email protected] wrote: > I found buffer overflow at at45db module. Error was in chunk length > calculation. > Patch is attached. > > Chip AT45DB041D: reading, writing and erasing operations works correctly. > > Best regards, Alexander Irenkov
Yes, you are right, Alexander, thank you. I think the error was introduced by some refactorings or rebasing the original patch. I think my original code looked a bit different/simpler than Alexander's. I have attached my version of a patch to fix this. Now I am interested if this version fixes the problem The Raven was seeing only on erase, even with your patch applied. The Raven: If this does not fix the erase issue then please add ' -g' to the CFLAGS in the makefile, recompile flashrom completely (make -B or make clean + make), and run an erase within gdb with 'spew' debug level: $ gdb --args ./flashrom -VVV -E -p ... […] (gdb) r Starting program: […] […] Segfault detected […] (gdb) bt <Backtrace output> (gdb) q $ Please send me the flashrom log and the backtrace obtained from GDB. -- Kind regards/Mit freundlichen Grüßen, Stefan Tauner
>From cc6af408c97b04994ace885862e6687387e8ee79 Mon Sep 17 00:00:00 2001 From: Stefan Tauner <[email protected]> Date: Sat, 10 May 2014 00:30:49 +0200 Subject: [PATCH] AT45DB: fix length calculations in read functions. This fixes segfaults on reads, ouch. Thanks to The Raven and Alexander Irenkov for reporting the problem. Signed-off-by: Stefan Tauner <[email protected]> --- at45db.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/at45db.c b/at45db.c index b1a81ef..f8ccd93 100644 --- a/at45db.c +++ b/at45db.c @@ -262,6 +262,7 @@ int spi_read_at45db(struct flashctx *flash, uint8_t *buf, unsigned int addr, uns return ret; } addr += chunk; + len -= chunk; } return 0; @@ -302,6 +303,7 @@ int spi_read_at45db_e8(struct flashctx *flash, uint8_t *buf, unsigned int addr, /* Copy result without dummy bytes into buf and advance address counter respectively. */ memcpy(buf + addr, tmp + 4, chunk - 4); addr += chunk - 4; + len -= chunk - 4; } return 0; } -- Kind regards, Stefan Tauner
_______________________________________________ flashrom mailing list [email protected] http://www.flashrom.org/mailman/listinfo/flashrom
