[PATCH 1/7] xyz-modem: Fix crash after cancelling transfer

Heinrich Schuchardt heinrich.schuchardt at canonical.com
Wed Aug 4 10:50:31 CEST 2021



On 03.08.21 16:28, Pali Rohár wrote:
> Variable xyz.len is set to -1 on error. At the end xyzModem_stream_read()
> function calls memcpy() with length from variable xyz.len. If this variable
> is set to -1 then value passed to memcpy is casted to unsigned value, which
> means to copy whole address space. Which then cause U-Boot crash. E.g. on
> arm64 it cause CPU crash: "Synchronous Abort" handler, esr 0x96000006
> 
> Fix this issue by checking that value stored in xyz.len is valid prior
> trying to use it.
> 
> Signed-off-by: Pali Rohár <pali at kernel.org>

The changes below seem reasonable.

I would prefer if you could document the elements of struct xyz first. 
Just add Sphinx style comments to the structure and indicate for element 
len that a negative value signals an error.

Cf.
https://www.kernel.org/doc/html/latest/doc-guide/kernel-doc.html#structure-union-and-enumeration-documentation

Acked-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>

> ---
>   common/xyzModem.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/common/xyzModem.c b/common/xyzModem.c
> index fc3459ebbafe..b1b72aae0baf 100644
> --- a/common/xyzModem.c
> +++ b/common/xyzModem.c
> @@ -494,7 +494,7 @@ xyzModem_stream_read (char *buf, int size, int *err)
>     total = 0;
>     stat = xyzModem_cancel;
>     /* Try and get 'size' bytes into the buffer */
> -  while (!xyz.at_eof && (size > 0))
> +  while (!xyz.at_eof && xyz.len >= 0 && (size > 0))
>       {
>         if (xyz.len == 0)
>   	{
> @@ -587,7 +587,7 @@ xyzModem_stream_read (char *buf, int size, int *err)
>   	    }
>   	}
>         /* Don't "read" data from the EOF protocol package */
> -      if (!xyz.at_eof)
> +      if (!xyz.at_eof && xyz.len > 0)
>   	{
>   	  len = xyz.len;
>   	  if (size < len)
> 


More information about the U-Boot mailing list