Re: [flashrom] [PATCH] Fix out-of-bounds access if all erase functions fail

Fri, 15 Apr 2011 15:12:01 -0700 

Am 15.04.2011 13:16 schrieb Stefan Tauner:

On Fri, 15 Apr 2011 07:31:29 +0200
Carl-Daniel Hailfinger<[email protected]>  wrote:


Index: flashrom-fix_erasefunctions_nullpointer/flashrom.c
===================================================================
--- flashrom-fix_erasefunctions_nullpointer/flashrom.c
(Revision 1280) +++
flashrom-fix_erasefunctions_nullpointer/flashrom.c
(Arbeitskopie) @@ -1514,8 +1514,12 @@ memcpy(curcontents,
oldcontents, size);

        for (k = 0; k<   NUM_ERASEFUNCTIONS; k++) {

   ^                   ^^
there is something broken with your old branch. spaces on the beginning
of lines and after some binary operators. this does not apply to my
git-svn head (or the r1280 equivalent) (could be a git-svn bug).
This corruption is apparently a Seamonkey Mail regression present in Seamonkey 2.0.x. 
Please find the patch attached, hopefully without corruption.



+               if (!usable_erasefunctions) {
+                       msg_cdbg("No usable erase functions
left.\n");
+                       break;
+               }
                msg_cdbg("Looking at blockwise erase function %i...
", k);
-               if (check_block_eraser(flash, k, 1)&&

                                                    ^^^^
but it will probably fix the OOB segfault, if it applies.
i dont understand the whole function though.
why do we precheck the erase functions with an extra loop? just for nice
logs and sparing us the memcpy?
not justified imho: it just complicates things and that OOB failure is
a typical symptom.
We don't care about the memcpy (would be a micro-optimization and those are almost always a bad idea). However, we care about good debug and error messages. 

Regards,
Carl-Daniel

Signed-off-by: Carl-Daniel Hailfinger <[email protected]>

--
http://www.hailfinger.org/


Index: flashrom-fix_erasefunctions_nullpointer/flashrom.c
===================================================================
--- flashrom-fix_erasefunctions_nullpointer/flashrom.c  (Revision 1280)
+++ flashrom-fix_erasefunctions_nullpointer/flashrom.c  (Arbeitskopie)
@@ -1514,8 +1514,12 @@
        memcpy(curcontents, oldcontents, size);
 
        for (k = 0; k < NUM_ERASEFUNCTIONS; k++) {
+               if (!usable_erasefunctions) {
+                       msg_cdbg("No usable erase functions left.\n");
+                       break;
+               }
                msg_cdbg("Looking at blockwise erase function %i... ", k);
-               if (check_block_eraser(flash, k, 1) && usable_erasefunctions) {
+               if (check_block_eraser(flash, k, 1)) {
                        msg_cdbg("Looking for another erase function.\n");
                        continue;
                }

_______________________________________________
flashrom mailing list
[email protected]
http://www.flashrom.org/mailman/listinfo/flashrom

Reply via email to