Dear Marek Vasut, In message <[email protected]> you wrote: > The flash_info_t->start[] field is limited in size by > CONFIG_SYS_MAX_FLASH_SECT > macro, which is set to 19 for this board in the board config file. If we > inspect > the board/ppmc7xx/flash.c closely, especially the flash_get_size() function, > we > can notice the "switch ((long)flashtest)" at around line 80 having a few > results > which will set flash_info_t->sector_count to value higher than 19, for example > "case AMD_ID_LV640U" will set it to 128. Notice that right underneath, > iteration > over flash_info_t->start[] happens and the upper bound for the interation is > flash_info_t->sector_count. Now if the sector_count is 128 as it is for the > AMD_ID_LV640U case, but the CONFIG_SYS_MAX_FLASH_SECT limiting the start[] is > only 19, an access past the start[] array much happen. Moreover, during this > iteration, the field is written to, so memory corruption is inevitable. > > Signed-off-by: Marek Vasut <[email protected]> > Cc: Wolfgang Denk <[email protected]> > Cc: Tom Rini <[email protected]> > Cc: Richard Danter <[email protected]> > --- > include/configs/ppmc7xx.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-)
Applied, thanks. Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, MD: Wolfgang Denk & Detlev Zundel HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: [email protected] You could end up being oddly sad and full of a strange, diffuse com- passion which would lead you to believe that it might be a good idea to wipe out the whole human race and start again with amoebas. - Terry Pratchett, _Guards! Guards!_ _______________________________________________ U-Boot mailing list [email protected] http://lists.denx.de/mailman/listinfo/u-boot
