[PATCH 1/1] fru: ops: avoid out of bounds access
Michal Simek
michal.simek at xilinx.com
Mon Jan 4 09:10:39 CET 2021
On 03. 01. 21 18:07, Heinrich Schuchardt wrote:
> Building xilinx_zynq_virt_defconfig fails on origin/next as reported by
> GCC 10.2 (as provided by Debian Bullseye):
>
> CC board/xilinx/common/fru_ops.o
> board/xilinx/common/fru_ops.c: In function ‘fru_capture’:
> board/xilinx/common/fru_ops.c:173:8:
> error: array subscript 284 is outside array bounds of
> ‘struct fru_table[1]’ [-Werror=array-bounds]
> 173 | limit = data + sizeof(struct fru_board_data);
> | ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> board/xilinx/common/fru_ops.c:17:18: note: while referencing ‘fru_data’
> 17 | struct fru_table fru_data __section(.data);
> | ^~~~~~~~
>
> When using sizeof(struct fru_board_data) to find the end of the structure
> you should add it to the start of the structure.
>
> Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
> ---
> board/xilinx/common/fru_ops.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/board/xilinx/common/fru_ops.c b/board/xilinx/common/fru_ops.c
> index b4cd3d4998..44f0913f2e 100644
> --- a/board/xilinx/common/fru_ops.c
> +++ b/board/xilinx/common/fru_ops.c
> @@ -170,7 +170,7 @@ static int fru_parse_board(unsigned long addr)
> data = (u8 *)&fru_data.brd.manufacturer_type_len;
>
> /* Record max structure limit not to write data over allocated space */
> - limit = data + sizeof(struct fru_board_data);
> + limit = (u8 *)&fru_data.brd + sizeof(struct fru_board_data);
>
> for (i = 0; ; i++, data += FRU_BOARD_MAX_LEN) {
> len = fru_check_type_len(*(u8 *)addr, fru_data.brd.lang_code,
> --
> 2.29.2
>
Applied.
M
More information about the U-Boot
mailing list