3 Sep
2021
3 Sep
'21
11:29 p.m.
On Tue, Aug 03, 2021 at 04:28:38PM +0200, Pali Rohár wrote:
Variable xyz.len is set to -1 on error. At the end xyzModem_stream_read() function calls memcpy() with length from variable xyz.len. If this variable is set to -1 then value passed to memcpy is casted to unsigned value, which means to copy whole address space. Which then cause U-Boot crash. E.g. on arm64 it cause CPU crash: "Synchronous Abort" handler, esr 0x96000006
Fix this issue by checking that value stored in xyz.len is valid prior trying to use it.
Signed-off-by: Pali Rohár pali@kernel.org Acked-by: Heinrich Schuchardt heinrich.schuchardt@canonical.com
With a quick X/Y modem test boot on am335x_evm: For the series, applied to u-boot/next, thanks!
--
Tom