[coreboot-gerrit] New patch to review for coreboot: 55e8c22 CBMEM console: Prevent buffer overrun

Kyösti Mälkki (kyosti.malkki@gmail.com) gerrit at coreboot.org
Wed Nov 27 21:06:40 CET 2013 

Kyösti Mälkki (kyosti.malkki at gmail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/4292

-gerrit

commit 55e8c2221942e150099ef61db87fca7fbeb1475b
Author: Kyösti Mälkki <kyosti.malkki at gmail.com>
Date:   Wed Nov 27 17:51:31 2013 +0200

    CBMEM console: Prevent buffer overrun
    
    Make sure memcpy target and a possible message telling log was truncated
    stay within the allocated region for CBMEM console.
    
    This fixes observed CBMEM corruption on platforms that do not use CBMEM
    console during romstage. Those platforms will need an additional fix to
    reset cursor position to zero on s3 resume.
    
    Change-Id: I76501ca3afc716545ca76ebca1119995126a43f8
    Signed-off-by: Kyösti Mälkki <kyosti.malkki at gmail.com>
---
 src/lib/cbmem_console.c | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/lib/cbmem_console.c b/src/lib/cbmem_console.c
index dd88300..ac1d8bb 100644
--- a/src/lib/cbmem_console.c
+++ b/src/lib/cbmem_console.c
@@ -113,27 +113,39 @@ void cbmemc_tx_byte(unsigned char data)
  */
 static void copy_console_buffer(struct cbmem_console *new_cons_p)
 {
-	u32 copy_size;
+	u32 copy_size, dropped_chars;
 	u32 cursor = new_cons_p->buffer_cursor;
 	struct cbmem_console *old_cons_p;
-	int overflow;
 
 	old_cons_p = current_console();
 
-	overflow = old_cons_p->buffer_cursor > old_cons_p->buffer_size;
+	if (old_cons_p->buffer_cursor < old_cons_p->buffer_size)
+		copy_size = old_cons_p->buffer_cursor;
+	else
+		copy_size = old_cons_p->buffer_size;
 
-	copy_size = overflow ?
-		old_cons_p->buffer_size : old_cons_p->buffer_cursor;
+	if (cursor > new_cons_p->buffer_size)
+		copy_size = 0;
+	else if (cursor + copy_size > new_cons_p->buffer_size)
+		copy_size = new_cons_p->buffer_size - cursor;
+
+	dropped_chars = old_cons_p->buffer_cursor - copy_size;
+	if (dropped_chars) {
+		/* Reserve 80 chars to report overflow, if possible. */
+		if (copy_size < 80)
+			return;
+		copy_size -= 80;
+		dropped_chars += 80;
+	}
 
 	memcpy(new_cons_p->buffer_body + cursor, old_cons_p->buffer_body,
 	       copy_size);
 
 	cursor += copy_size;
 
-	if (overflow) {
+	if (dropped_chars) {
 		const char loss_str1[] = "\n\n*** Log truncated, ";
 		const char loss_str2[] = " characters dropped. ***\n\n";
-		u32 dropped_chars = old_cons_p->buffer_cursor - copy_size;
 
 		/*
 		 * When running from ROM sprintf is not available, a simple

More information about the coreboot-gerrit mailing list