This ports the following barebox commit
| commit dc5100e6ba686fafd5570ce6d972383f047c7313
| Author: Ahmad Fatoum <a.fat...@pengutronix.de>
| Date: Thu Mar 5 08:40:31 2020 +0100
|
| state: backend_storage: deal gracefully with runtime bucket corruption
|
| Corrupting an already selected bucket and then reading it again will
| crash barebox when it attempts the refresh:
|
| barebox$ state -l
| barebox$ mw -d /dev/eeprom0.state 0 0x42
| barebox$ state -l
| ERROR: state: No meta data header found
| state: Using bucket 1@0x00000040
| unable to handle NULL pointer dereference at address 0x00000000
| pc : [<4fe4f1ea>] lr : [<4fe0bcb1>]
| sp : 4ffefd5c ip : 00000000 fp : 2ff68f04
| r10: 4ffefdc8 r9 : 4b434d63 r8 : 30155f50
| r7 : 00000024 r6 : 2ff68b60 r5 : 2ff68e90 r4 : 00000000
| r3 : 00000024 r2 : 00000024 r1 : 30155f50 r0 : 00000000
| Flags: Nzcv IRQs off FIQs off Mode SVC_32
| WARNING: [<4fe4f1ea>] (memcmp+0x14/0x1a) from [<4fe0bcb1>]
(bucket_refresh.isra.0+0x4d/0x78)
| WARNING: [<4fe0bcb1>] (bucket_refresh.isra.0+0x4d/0x78) from
[<4fe0be1d>] (state_storage_read+0xd1/0x104)
| WARNING: [<4fe0be1d>] (state_storage_read+0xd1/0x104) from [<4fe0a5bd>]
(state_do_load+0x1d/0x78)
| WARNING: [<4fe0a5bd>] (state_do_load+0x1d/0x78) from [<4fe04137>]
(execute_command+0x23/0x4c)
|
| The memcmp called here is an optimization to skip I/O if the used bucket
| and the one to be refreshed compare equal. Unfortunately, if the now
| corrupt bucket was previously the used one, bucket->len will hold the
| old value and we'll run into a NULL pointer dereference.
|
| While this is quite inconvenient, it appears it doesn't affect
| correctness: after the reset, the corrupt bucket will be refreshed
| as expected.
|
| Improve upon this by setting the length to zero when we are NULLing the
| buffer. The zero length of the corrupted bucket will then compare unequal
| to used_bucket->len in bucket_refresh() and ensure we will always refresh
| the buffer if it becomes corrupted without an intermittent reset.
|
| Fixes: 238008b4bd8f ("state: Drop cache bucket")
| Cc: Enrico Jörns <e...@pengutronix.de>
| Signed-off-by: Ahmad Fatoum <a.fat...@pengutronix.de>
| Signed-off-by: Sascha Hauer <s.ha...@pengutronix.de>
Signed-off-by: Marco Felsch <m.fel...@pengutronix.de>
---
src/barebox-state/backend_storage.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/barebox-state/backend_storage.c
b/src/barebox-state/backend_storage.c
index 509427f..458f2a9 100644
--- a/src/barebox-state/backend_storage.c
+++ b/src/barebox-state/backend_storage.c
@@ -192,6 +192,7 @@ int state_storage_read(struct state_backend_storage
*storage,
/* Free buffer from the unused buckets */
free(bucket->buf);
bucket->buf = NULL;
+ bucket->len = 0;
}
/*
@@ -204,6 +205,7 @@ int state_storage_read(struct state_backend_storage
*storage,
/* buffer from the used bucket is passed to the caller, do not free */
bucket_used->buf = NULL;
+ bucket_used->len = 0;
return 0;
}
--
2.30.2
