From db2e3aa2578a931924f5bd269b0279bd403263ea Mon Sep 17 00:00:00 2001 From: Patrick Georgi Date: Sat, 9 Mar 2013 10:52:50 +0100 Subject: libpayload: Fix reading x86 CBFS images from RAM Three issues: 1. the hardcoded dereferenced pointer at 0xfffffffc 2. "RAM media" has no idea about ROM relative addresses 3. off-by-one in RAM media: it's legal to request 4 bytes from 0xfffffffc Change-Id: I671ac12d412c71dc8e8e6114f2ea13f58dd99c1d Signed-off-by: Patrick Georgi Reviewed-on: http://review.coreboot.org/2624 Tested-by: build bot (Jenkins) Reviewed-by: Paul Menzel Reviewed-by: Hung-Te Lin --- payloads/libpayload/libcbfs/cbfs.c | 10 ++++++++-- payloads/libpayload/libcbfs/ram_media.c | 6 +++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/payloads/libpayload/libcbfs/cbfs.c b/payloads/libpayload/libcbfs/cbfs.c index 35e48dda27..2fb91bf2d2 100644 --- a/payloads/libpayload/libcbfs/cbfs.c +++ b/payloads/libpayload/libcbfs/cbfs.c @@ -65,8 +65,14 @@ #if defined(CONFIG_CBFS_HEADER_ROM_OFFSET) && (CONFIG_CBFS_HEADER_ROM_OFFSET) # define CBFS_HEADER_ROM_ADDRESS (CONFIG_CBFS_HEADER_ROM_OFFSET) #else -// Indirect address: only works on 32bit top-aligned systems. -# define CBFS_HEADER_ROM_ADDRESS (*(uint32_t*)0xfffffffc) +/* ugly hack: this assumes that "media" exists + in the scope where the macro is used. */ +static uint32_t fetch_x86_header(struct cbfs_media *media) +{ + uint32_t *header_ptr = media->map(media, 0xfffffffc, 4); + return *header_ptr; +} +# define CBFS_HEADER_ROM_ADDRESS fetch_x86_header(media) #endif #include "cbfs_core.c" diff --git a/payloads/libpayload/libcbfs/ram_media.c b/payloads/libpayload/libcbfs/ram_media.c index 87b5292b63..1a0500e1be 100644 --- a/payloads/libpayload/libcbfs/ram_media.c +++ b/payloads/libpayload/libcbfs/ram_media.c @@ -43,7 +43,11 @@ static int ram_open(struct cbfs_media *media) { static void *ram_map(struct cbfs_media *media, size_t offset, size_t count) { struct ram_media *m = (struct ram_media*)media->context; - if (offset + count >= m->size) { + /* assume addressing from top of image in this case */ + if (offset > 0xf0000000) { + offset = m->size + offset; + } + if (offset + count > m->size) { printf("ERROR: ram_map: request out of range (0x%x+0x%x)\n", offset, count); return NULL; -- cgit v1.2.3