[U-Boot] [PATCH] phy: Fix u-boot coruption when fixed-phy is used

Michal Simek michal.simek at xilinx.com
Wed Dec 19 15:57:38 UTC 2018


When fixed-link phy is used subnode offset is used as phy address. This
number is bigger then space allocated for bus structure (allocated via
mdio_alloc).
bus->phymap[] array has PHY_MAX_ADDR size (32).
That's why writing bus->phymap[addr] where addr is < 0 or > PHY_MAX_ADDR
is causing write to memory which can caused full U-Boot crash.

The patch is checking if address is in correct range.

Signed-off-by: Michal Simek <michal.simek at xilinx.com>
---

search_for_existing_phy() is using this array but there is if check
already that's why it shouldn't be a big deal.

---
 drivers/net/phy/phy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
index e837eb7688cc..cda4caa8034d 100644
--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -656,7 +656,8 @@ static struct phy_device *phy_device_create(struct mii_dev *bus, int addr,
 
 	phy_probe(dev);
 
-	bus->phymap[addr] = dev;
+	if (addr >= 0 && addr < PHY_MAX_ADDR)
+		bus->phymap[addr] = dev;
 
 	return dev;
 }
-- 
1.9.1



More information about the U-Boot mailing list