diff options
author | Ahmad Fatoum <ahmad@a3f.at> | 2021-11-29 08:14:54 +0100 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2021-12-07 10:12:47 +0100 |
commit | 3a726d01792bdd03eb16b74f1565ce30995abb75 (patch) | |
tree | 7fc4bae55583253be71220b622de2c4460071008 /fs | |
parent | f2dd8896846757829fb3033f41b89be3fc037d78 (diff) | |
download | barebox-3a726d01792bdd03eb16b74f1565ce30995abb75.tar.gz barebox-3a726d01792bdd03eb16b74f1565ce30995abb75.tar.xz |
fs: /dev/mem: handle copy at offset 0 correctly
Despite that /dev/mem has a size of 0, the check preventing
out-of-bounds access works for /dev/mem as well, because of unsigned
wrap around. Corner case is when offset is zero. There will be no wrap
around and
count = min(count, 0 - 0) = 0
Leading to unexpected behavior with e.g.
memcmp -s /dev/mem 0
on systems without MMU. Fix this.
Signed-off-by: Ahmad Fatoum <ahmad@a3f.at>
Link: https://lore.barebox.org/20211129071454.2014315-1-ahmad@a3f.at
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/devfs-core.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/devfs-core.c b/fs/devfs-core.c index 3715e543e6..2d016e0e48 100644 --- a/fs/devfs-core.c +++ b/fs/devfs-core.c @@ -573,7 +573,10 @@ ssize_t mem_copy(struct device_d *dev, void *dst, const void *src, if (!dev || dev->num_resources < 1) return -1; - count = size = min(count, resource_size(&dev->resource[0]) - offset); + if (resource_size(&dev->resource[0]) > 0 || offset != 0) + count = min(count, resource_size(&dev->resource[0]) - offset); + + size = count; /* no rwsize specification given. Do whatever memcpy likes best */ if (!rwsize) { |