From c045b00d80a7712fe3e11132a907402a2d12e7b6 Mon Sep 17 00:00:00 2001 From: Andre Przywara Date: Fri, 3 Nov 2023 00:58:04 +0000 Subject: [PATCH] fel: sid: fix stack overflow while reading from SID When reading from the SID device using the normal memory access method, we upload our "readl" routine (via fel_readl_n()), which expects a number of *words* to read. However length is given in *bytes*, so we read four times as much, and overflow our key buffer, clobbering the return address. This is typically fatal: =============== $ ./sunxi-fel sid 02c05200:12345678:34567890:76543210 Segmentation fault (core dumped) $ =============== Fix this by giving the number of (32-bit) words instead. We already checked that length is a multiple of 4, so we can just divide. Signed-off-by: Andre Przywara --- fel_lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fel_lib.c b/fel_lib.c index dfb8e9812..b1c4ae854 100644 --- a/fel_lib.c +++ b/fel_lib.c @@ -623,7 +623,7 @@ int fel_read_sid(feldev_handle *dev, uint32_t *result, else /* Read SID directly from memory */ fel_readl_n(dev, soc->sid_base + soc->sid_offset + offset, - result, length); + result, length / 4); return 0; }