Vladimir Serbinenko (phcoder@gmail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/4691
-gerrit
commit b4fc4fdbc1047201e70bae82b6491fa0b2d2d9d6 Author: Vladimir Serbinenko phcoder@gmail.com Date: Wed Jan 15 22:06:56 2014 +0100
libpayload/options: Fix out of array read.
It resulted in garbage in upper bytes of numeric options.
Change-Id: I5e5d8b770ed93c7e8a1756a5ce32444b6a045bac Signed-off-by: Vladimir Serbinenko phcoder@gmail.com --- payloads/libpayload/drivers/options.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/payloads/libpayload/drivers/options.c b/payloads/libpayload/drivers/options.c index d497c0a..70c2b17 100644 --- a/payloads/libpayload/drivers/options.c +++ b/payloads/libpayload/drivers/options.c @@ -310,6 +310,10 @@ int get_option_as_string(const struct nvram_accessor *nvram, struct cb_cmos_opti return 1; int cmos_length = (cmos_entry->length+7)/8;
+ /* ensure we have enough space for u64 */ + if (cmos_length < 8) + cmos_length = 8; + /* extra byte to ensure 0-terminated strings */ raw = malloc(cmos_length+1); memset(raw, 0, cmos_length+1);