Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fel: sid: fix stack overflow while reading from SID #201

Merged
merged 1 commit into from
Nov 3, 2023

Conversation

apritzel
Copy link
Contributor

@apritzel apritzel commented Nov 3, 2023

When reading from the SID device using the normal memory access method, we upload our "readl" routine (via fel_readl_n()), which expects a number of words to read. However length is given in bytes, so we read four times as much, and overflow our key buffer, clobbering the return address. This is typically fatal:

$ ./sunxi-fel sid
02c05200:12345678:34567890:76543210
Segmentation fault (core dumped)
$

Fix this by giving the number of (32-bit) words instead. We already checked that length is a multiple of 4, so we can just divide.

When reading from the SID device using the normal memory access method,
we upload our "readl" routine (via fel_readl_n()), which expects a number
of *words* to read. However length is given in *bytes*, so we read four
times as much, and overflow our key buffer, clobbering the return address.
This is typically fatal:
===============
$ ./sunxi-fel sid
02c05200:12345678:34567890:76543210
Segmentation fault (core dumped)
$
===============

Fix this by giving the number of (32-bit) words instead. We already
checked that length is a multiple of 4, so we can just divide.

Signed-off-by: Andre Przywara <[email protected]>
Copy link
Member

@paulkocialkowski paulkocialkowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it's a bit weird to pass a length instead of count to fel_read_sid in the first place but that can be changed later.

Good catch and thanks for the fix!

@paulkocialkowski paulkocialkowski merged commit fcb7865 into linux-sunxi:master Nov 3, 2023
1 check passed
@apritzel apritzel deleted the fix_fel_sid_so branch November 13, 2023 23:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants