[coreboot] Coreboot bug?
Myles Watson
mylesgw at gmail.com
Thu Nov 12 00:31:00 CET 2009
On Wed, Nov 11, 2009 at 4:06 PM, Peter Stuge <peter at stuge.se> wrote:
> Myles Watson wrote:
>> How about this:
>>
>> Index: src/arch/i386/boot/coreboot_table.c
>> ===================================================================
>> --- src/arch/i386/boot/coreboot_table.c (revision 4931)
>> +++ src/arch/i386/boot/coreboot_table.c (working copy)
>> @@ -485,11 +485,10 @@
>>
>> #if (CONFIG_HAVE_OPTION_TABLE == 1)
>> {
>> - struct lb_record *rec_dest, *rec_src;
>> - /* Write the option config table... */
>> + struct lb_record *rec_dest;
>> + /* Copy the option config table, it's already a lb_record... */
>> rec_dest = lb_new_record(head);
>> - rec_src = (struct lb_record *)(void *)&option_table;
>> - memcpy(rec_dest, rec_src, rec_src->size);
>> + memcpy(rec_dest, &option_table, sizeof(option_table));
>
> It is completely unclear to me why it is safe to write beyond the
> struct lb_record
lb_record is just the header. The data follows it, but isn't a member
of the struct.
> (maybe it is an elaborate side-effect of the call to
> lb_new_record()?)
I think lb_new_record uses the size to find the next header location.
Is that what you meant?
> Acked-by: Peter Stuge <peter at stuge.se>
Rev 4935.
Thanks,
Myles
More information about the coreboot
mailing list