Patchwork fix cbfs_header location

login
register
about
Submitter Thomas Jourdan
Date 2009-08-12 21:45:22
Message ID <1250113522.6425.61.camel@desktop>
Download mbox | patch
Permalink /patch/117/
State Accepted
Headers show

Comments

Thomas Jourdan - 2009-08-12 21:45:22
Hi guys

I think I found a bug in CBFS. It's about the cbfs master header
location. Under certains circumstances, it can be overwritten by a file,
hence corrupting the rom.

I added some debug output to explain the problem. First I create a dummy
bootblock and the rom :
dd if=/dev/zero of=bootblock bs=16k count=4
cbfstool rom create 262144 65536 bootblock 16
-----
create_rom: create cbfs_header at offset 0x2ffd0
create_rom: write cbfs master header address 0xfffeffd0
-----
cbfstool rom print
rom: 256 kB, bootblocksize 65536, romsize 262144, offset 0x0
Alignment: 16 bytes

Name                           Offset     Type         Size
                               0x0        free         196536
Finally create and add tfhe file :
dd if=/dev/zero of=dummy bs=196536 count=1
cbfstool rom add dummy dummy 256
-----
rom_alloc: Found free file at offset 0x0 headersize 0x28 size 0x2ffb8
rom_alloc: nextoffset 0x2ffe0
rom_alloc: truncoffset 0x2ffe0
-----
cbfstool rom print
(cbfstool) E: This does not appear to be a valid ROM
(cbfstool) E: Problem while reading the ROM

As you can see, nextoffset is 0x10 byte after the cbfs_header. The file
I added overwrote it.

I attached a patch to fix this.
Signed-off-by: Thomas Jourdan <thomas.jourdan@gmail.com>

Regards,
Thomas
Patrick Georgi - 2009-08-17 15:20:37
Am 12.08.2009 23:45, schrieb Thomas Jourdan:
> Hi guys
>
> I think I found a bug in CBFS. It's about the cbfs master header
> location. Under certains circumstances, it can be overwritten by a file,
> hence corrupting the rom.
>    
Good find! Acked and committed, r4547.


Thanks,
Patrick

Patch

Index: util/cbfstool/util.c
===================================================================
--- util/cbfstool/util.c	(révision 4540)
+++ util/cbfstool/util.c	(copie de travail)
@@ -220,7 +220,7 @@ 
 
 	/* This is a pointer to the header for easy access */
 	rom->header = (struct cbfs_header *)
-	    ROM_PTR(rom, rom->size - 16 - bootblocksize - sizeof(struct cbfs_header));
+	    ROM_PTR(rom, rom->size - bootblocksize - sizeof(struct cbfs_header));
 	rom->header->magic = htonl(HEADER_MAGIC);
 	rom->header->romsize = htonl(romsize);
 	rom->header->bootblocksize = htonl(bootblocksize);
@@ -233,7 +233,7 @@ 
 	/* Write the cbfs master header address at the end of the ROM. */
 
 	ROM_WRITEL(rom, rom->size - 4,
-		   0xFFFFFFF0 - bootblocksize - sizeof(struct cbfs_header));
+		   0xFFFFFFFF - bootblocksize - sizeof(struct cbfs_header) + 1);
 
 	/* write the empty header */
 	rom_set_header(rom, (struct cbfs_file *)rom->ptr, "", -1, CBFS_COMPONENT_NULL);