[BUG][Cyrus BOARD] out of bound access in board/varisys/common/sys_eeprom.c
Andy Fleming
afleming at gmail.com
Tue Apr 13 17:16:34 CEST 2021
On Sun, Apr 11, 2021 at 17:40 Tom Rini <trini at konsulko.com> wrote:
> On Mon, Apr 12, 2021 at 12:25:32AM +0200, Heinrich Schuchardt wrote:
>
> > Hello Andy,
> >
> > in the code of your patch "mpc85xx: Add support for the Varisys Cyrus
> > board" merged in 2015 as 87e29878cab an out of bound access occurs. See
> > below.
> >
> > On 11/4/15 10:48 PM, Andy Fleming wrote:
> > > This board runs a P5020 or P5040 chip, and utilizes
> > > an EEPROM with similar formatting to the Freescale P5020DS.
> > >
> > > Large amounts of this code were developed by
> > > Adrian Cox <adrian at humboldt dot co dot uk>
> > >
> > > Signed-off-by: Andy Fleming <afleming at gmail.com>
> > > Reviewed-by: York Sun <yorksun at freescale.com>
> > > ---
> >
> > <snip />
> >
> > > +++ b/board/varisys/common/sys_eeprom.c
> >
> > <snip />
> >
> > > +static struct __attribute__ ((__packed__)) eeprom {
> > > + u8 id[4]; /* 0x00 - 0x03 EEPROM Tag 'NXID' */
> > > + u8 sn[12]; /* 0x04 - 0x0F Serial Number */
> > > + u8 errata[5]; /* 0x10 - 0x14 Errata Level */
> > > + u8 date[6]; /* 0x15 - 0x1a Build Date */
> > > + u8 res_0; /* 0x1b Reserved */
> > > + u32 version; /* 0x1c - 0x1f NXID Version */
> > > + u8 tempcal[8]; /* 0x20 - 0x27 Temperature Calibration Factors */
> > > + u8 tempcalsys[2]; /* 0x28 - 0x29 System Temperature Calibration
> > Factors */
> > > + u8 tempcalflags; /* 0x2a Temperature Calibration Flags */
> > > + u8 res_1[21]; /* 0x2b - 0x3f Reserved */
> > > + u8 mac_count; /* 0x40 Number of MAC addresses */
> > > + u8 mac_flag; /* 0x41 MAC table flags */
> > > + u8 mac[MAX_NUM_PORTS][6]; /* 0x42 - x MAC addresses */
> > > + u32 crc; /* x+1 CRC32 checksum */
> > > +} e;
> >
> > <snip /> // MAX_NUM_PORTS = 8
> >
> > > +int mac_read_from_eeprom_common(void)
> > > +{
> > > + unsigned int i;
> > > + u32 crc, crc_offset = offsetof(struct eeprom, crc);
> > > + u32 *crcp; /* Pointer to the CRC in the data read from the EEPROM
> */
> > > +
> > > + puts("EEPROM: ");
> > > +
> > > + if (read_eeprom()) {
> > > + printf("Read failed.\n");
> > > + return 0;
> > > + }
> > > +
> > > + if (!is_valid) {
> > > + printf("Invalid ID (%02x %02x %02x %02x)\n",
> > > + e.id[0], e.id[1], e.id[2], e.id[3]);
> > > + return 0;
> > > + }
> > > +
> > > + crc = crc32(0, (void *)&e, crc_offset);
> > > + crcp = (void *)&e + crc_offset;
> > > + if (crc != be32_to_cpu(*crcp)) {
> > > + printf("CRC mismatch (%08x != %08x)\n", crc,
> > > + be32_to_cpu(e.crc));
> > > + return 0;
> > > + }
> > > +
> > > + /*
> > > + * MAC address #9 in v1 occupies the same position as the CRC in
> v0.
> > > + * Erase it so that it's not mistaken for a MAC address. We'll
> > > + * update the CRC later.
> > > + */
> > > + if (e.version == 0)
> > > + memset(e.mac[8], 0xff, 6);
> >
> > Here you are writing 2 bytes beyond the size of e.
>
> A useful analysis in case anyone brings these boards back. I'm about to
> push the series that delete this due to lack of migration.
Interesting. It’s clear there’s ambiguity there, as some versions have more
data there, but that definitely looks wrong. Unfortunately, I don’t have
one of these boards anymore (And I doubt nxp does), so no resurrection
anytime soon.
Andy
More information about the U-Boot
mailing list