On 1/11/24 14:36, Gerd Hoffmann wrote:
> In some cases (specifically when the flash update region is
> small but crosses a multiple of P30_MAX_BUFFER_SIZE_IN_BYTES)
> NorFlashWriteSingleBlock reads only one instead of two
> P30_MAX_BUFFER_SIZE_IN_BYTES blocks into the shadow buffer.
>
> That leads to random crap being written to the second block,
> which in turn can corrupt both the variable store and the
> FTW work space.
>
> This patch fixes the calculation.
>
> Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
> ---
> OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
> b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
> index 1afd60ce66eb..cdc809d75e3d 100644
> --- a/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
> +++ b/OvmfPkg/VirtNorFlashDxe/VirtNorFlash.c
> @@ -566,7 +566,7 @@ NorFlashWriteSingleBlock (
> Instance,
> Lba,
> Offset & ~BOUNDARY_OF_32_WORDS,
> - (*NumBytes | BOUNDARY_OF_32_WORDS) + 1,
> + (((Offset & BOUNDARY_OF_32_WORDS) + *NumBytes) |
> BOUNDARY_OF_32_WORDS) + 1,
> Instance->ShadowBuffer
> );
> if (EFI_ERROR (Status)) {
This patch looks like the output of an excellent bug analysis. I'll need
more time to review this. If you have a ticket with the analysis
captured (actual numbers, debugging logs, a concrete backtrace / call
chain triggering the issue, etc), I'd appreciate a reference. (Perhaps
include some of the key items in the commit message too?)
Thanks
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113705): https://edk2.groups.io/g/devel/message/113705
Mute This Topic: https://groups.io/mt/103661868/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe:
https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
