[flashrom] [PATCH] Fix out-of-bounds access if all erase functions fail

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Sat Apr 16 00:13:50 CEST 2011


Am 15.04.2011 13:16 schrieb Stefan Tauner:
> On Fri, 15 Apr 2011 07:31:29 +0200
> Carl-Daniel Hailfinger<c-d.hailfinger.devel.2006 at gmx.net>  wrote:
>
>    
>> Index: flashrom-fix_erasefunctions_nullpointer/flashrom.c
>> ===================================================================
>> --- flashrom-fix_erasefunctions_nullpointer/flashrom.c
>> (Revision 1280) +++
>> flashrom-fix_erasefunctions_nullpointer/flashrom.c
>> (Arbeitskopie) @@ -1514,8 +1514,12 @@ memcpy(curcontents,
>> oldcontents, size);
>>
>>    	for (k = 0; k<   NUM_ERASEFUNCTIONS; k++) {
>>      
>    ^                   ^^
> there is something broken with your old branch. spaces on the beginning
> of lines and after some binary operators. this does not apply to my
> git-svn head (or the r1280 equivalent) (could be a git-svn bug).
>    

This corruption is apparently a Seamonkey Mail regression present in 
Seamonkey 2.0.x.
Please find the patch attached, hopefully without corruption.


>> +		if (!usable_erasefunctions) {
>> +			msg_cdbg("No usable erase functions
>> left.\n");
>> +			break;
>> +		}
>>    		msg_cdbg("Looking at blockwise erase function %i...
>> ", k);
>> -		if (check_block_eraser(flash, k, 1)&&
>>      
>                                                     ^^^^
> but it will probably fix the OOB segfault, if it applies.
> i dont understand the whole function though.
> why do we precheck the erase functions with an extra loop? just for nice
> logs and sparing us the memcpy?
> not justified imho: it just complicates things and that OOB failure is
> a typical symptom.
>    

We don't care about the memcpy (would be a micro-optimization and those 
are almost always a bad idea). However, we care about good debug and 
error messages.

Regards,
Carl-Daniel

Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006 at gmx.net>

-- 
http://www.hailfinger.org/

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: flashrom_fix_erasefunctions_nullpointer.diff
URL: <http://www.flashrom.org/pipermail/flashrom/attachments/20110416/fe5a702e/attachment.ksh>


More information about the flashrom mailing list