md -s /dev/mmappable.device will read out-of-bounds if the byte count to read exceeds the device size.
Limit the size read from the memmap to fix this. Signed-off-by: Ahmad Fatoum <[email protected]> --- commands/md.c | 4 ++++ common/ratp/md.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/commands/md.c b/commands/md.c index f3758f571fb2..401538d4d8be 100644 --- a/commands/md.c +++ b/commands/md.c @@ -25,6 +25,7 @@ static int do_mem_md(int argc, char *argv[]) loff_t start = 0, size = 0x100; int r, now; int ret = 0; + struct stat st; int fd; char *filename = "/dev/mem"; int mode = O_RWSIZE_4; @@ -54,6 +55,9 @@ static int do_mem_md(int argc, char *argv[]) return 1; } + if (!fstat(fd, &st) && st.st_size != FILE_SIZE_STREAM) + size = min(size, st.st_size); + map = memmap(fd, PROT_READ); if (map != MAP_FAILED) { ret = memory_display(map + start, start, size, diff --git a/common/ratp/md.c b/common/ratp/md.c index 8221afaebc22..f3302dedafb7 100644 --- a/common/ratp/md.c +++ b/common/ratp/md.c @@ -61,6 +61,7 @@ static int do_ratp_mem_md(const char *filename, loff_t size, uint8_t *output) { + struct stat st; int r, now, t; int ret = 0; int fd; @@ -73,6 +74,9 @@ static int do_ratp_mem_md(const char *filename, return -errno; } + if (!fstat(fd, &st) && st.st_size != FILE_SIZE_STREAM) + size = min(size, st.st_size); + map = memmap(fd, PROT_READ); if (map != MAP_FAILED) { memcpy(output, (uint8_t *)(map + start), size); -- 2.47.3
