BLKGETSIZE64 writes 64-bit to the address pointed at by the ioctl argument. As hf->size is a 32-bit size_t on 32-bit systems, on such systems, the adjacent member might be corrupted. Fix this. Fixes: 8d6da6462b12 ("sandbox: add_image: mmap block devices") Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> --- arch/sandbox/board/dtb.c | 2 +- arch/sandbox/board/hostfile.c | 1 + arch/sandbox/dts/sandbox-state-example.dtsi | 2 +- arch/sandbox/dts/skeleton.dtsi | 4 ++-- arch/sandbox/mach-sandbox/include/mach/hostfile.h | 2 +- arch/sandbox/os/common.c | 10 +++++++--- 6 files changed, 13 insertions(+), 8 deletions(-) diff --git a/arch/sandbox/board/dtb.c b/arch/sandbox/board/dtb.c index 74ecbadf4217..d11bde0249bd 100644 --- a/arch/sandbox/board/dtb.c +++ b/arch/sandbox/board/dtb.c @@ -46,7 +46,7 @@ static int of_sandbox_init(void) if (ret) return ret; - ret = of_property_write_u32(root, "#size-cells", 1); + ret = of_property_write_u32(root, "#size-cells", 2); if (ret) return ret; } diff --git a/arch/sandbox/board/hostfile.c b/arch/sandbox/board/hostfile.c index 56023b4ad45d..07287fc0b4a1 100644 --- a/arch/sandbox/board/hostfile.c +++ b/arch/sandbox/board/hostfile.c @@ -134,6 +134,7 @@ static int of_hostfile_fixup(struct device_node *root, void *ctx) uint32_t reg[] = { hf->base >> 32, hf->base, + hf->size >> 32, hf->size }; int ret; diff --git a/arch/sandbox/dts/sandbox-state-example.dtsi b/arch/sandbox/dts/sandbox-state-example.dtsi index fc17bd078899..98640f6677cf 100644 --- a/arch/sandbox/dts/sandbox-state-example.dtsi +++ b/arch/sandbox/dts/sandbox-state-example.dtsi @@ -6,7 +6,7 @@ disk { compatible = "barebox,hostfile"; barebox,filename = "disk"; - reg = <0x0 0x0 0x100000>; + reg = <0x0 0x0 0x0 0x100000>; partitions { compatible = "fixed-partitions"; diff --git a/arch/sandbox/dts/skeleton.dtsi b/arch/sandbox/dts/skeleton.dtsi index 38ead821bb42..8ba7663eb5c0 100644 --- a/arch/sandbox/dts/skeleton.dtsi +++ b/arch/sandbox/dts/skeleton.dtsi @@ -6,8 +6,8 @@ / { #address-cells = <2>; - #size-cells = <1>; + #size-cells = <2>; chosen { }; aliases { }; - memory { device_type = "memory"; reg = <0 0 0>; }; + memory { device_type = "memory"; reg = <0 0 0 0>; }; }; diff --git a/arch/sandbox/mach-sandbox/include/mach/hostfile.h b/arch/sandbox/mach-sandbox/include/mach/hostfile.h index 54f690be5f7f..e2f44c4f7b0c 100644 --- a/arch/sandbox/mach-sandbox/include/mach/hostfile.h +++ b/arch/sandbox/mach-sandbox/include/mach/hostfile.h @@ -4,7 +4,7 @@ struct hf_info { int fd; unsigned long long base; - size_t size; + unsigned long long size; const char *devname; const char *filename; }; diff --git a/arch/sandbox/os/common.c b/arch/sandbox/os/common.c index 69fadb3b47a4..9f26f8fa6e9a 100644 --- a/arch/sandbox/os/common.c +++ b/arch/sandbox/os/common.c @@ -267,9 +267,13 @@ static int add_image(char *str, char *devname_template, int *devname_number) goto err_out; } } - hf->base = (unsigned long)mmap(NULL, hf->size, - PROT_READ | (readonly ? 0 : PROT_WRITE), - MAP_SHARED, fd, 0); + if (hf->size <= SIZE_MAX) + hf->base = (unsigned long)mmap(NULL, hf->size, + PROT_READ | (readonly ? 0 : PROT_WRITE), + MAP_SHARED, fd, 0); + else + printf("warning: %s: contiguous map failed\n", filename); + if (hf->base == (unsigned long)MAP_FAILED) printf("warning: mmapping %s failed: %s\n", filename, strerror(errno)); -- 2.28.0 _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox