SPI flash operations inadvertently stretching beyond the flash size will result in a wraparound. This may be particularly dangerous when burning u-boot, because the flash contents will be corrupted rendering the board unusable, without any warning being issued. So add a consistency checking so not to overflow past the flash size.
Signed-off-by: Gerlando Falauto gerlando.falauto@keymile.com Cc: Valentin Longchamp valentin.longchamp@keymile.com Cc: Holger Brunck holger.brunck@keymile.com --- common/cmd_sf.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/common/cmd_sf.c b/common/cmd_sf.c index 9c76464..3cfedde 100644 --- a/common/cmd_sf.c +++ b/common/cmd_sf.c @@ -211,6 +211,13 @@ static int do_spi_flash_read_write(int argc, char * const argv[]) if (*argv[3] == 0 || *endp != 0) return -1;
+ /* Consistency checking */ + if (offset + len > flash->size) { + printf("ERROR: Attempting SPI flash %s past flash size (0x%x)\n", + argv[0], flash->size); + return 1; + } + buf = map_physmem(addr, len, MAP_WRBACK); if (!buf) { puts("Failed to map physical memory\n"); @@ -252,6 +259,13 @@ static int do_spi_flash_erase(int argc, char * const argv[]) if (ret != 1) return -1;
+ /* Consistency checking */ + if (offset + len > flash->size) { + printf("ERROR: Attempting SPI flash %s past flash size (0x%x)\n", + argv[0], flash->size); + return 1; + } + ret = spi_flash_erase(flash, offset, len); if (ret) { printf("SPI flash %s failed\n", argv[0]);