[PATCH 1/7] xyz-modem: Fix crash after cancelling transfer
Tom Rini
trini at konsulko.com
Fri Sep 3 23:29:04 CEST 2021
On Tue, Aug 03, 2021 at 04:28:38PM +0200, Pali Rohár wrote:
> Variable xyz.len is set to -1 on error. At the end xyzModem_stream_read()
> function calls memcpy() with length from variable xyz.len. If this variable
> is set to -1 then value passed to memcpy is casted to unsigned value, which
> means to copy whole address space. Which then cause U-Boot crash. E.g. on
> arm64 it cause CPU crash: "Synchronous Abort" handler, esr 0x96000006
>
> Fix this issue by checking that value stored in xyz.len is valid prior
> trying to use it.
>
> Signed-off-by: Pali Rohár <pali at kernel.org>
> Acked-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
With a quick X/Y modem test boot on am335x_evm:
For the series, applied to u-boot/next, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210903/407e5b3e/attachment.sig>
More information about the U-Boot
mailing list