From db2e3aa2578a931924f5bd269b0279bd403263ea Mon Sep 17 00:00:00 2001
From: Patrick Georgi <patrick@georgi-clan.de>
Date: Sat, 9 Mar 2013 10:52:50 +0100
Subject: libpayload: Fix reading x86 CBFS images from RAM

Three issues:
 1. the hardcoded dereferenced pointer at 0xfffffffc
 2. "RAM media" has no idea about ROM relative addresses
 3. off-by-one in RAM media: it's legal to request 4 bytes from 0xfffffffc

Change-Id: I671ac12d412c71dc8e8e6114f2ea13f58dd99c1d
Signed-off-by: Patrick Georgi <patrick@georgi-clan.de>
Reviewed-on: http://review.coreboot.org/2624
Tested-by: build bot (Jenkins)
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
---
 payloads/libpayload/libcbfs/cbfs.c      | 10 ++++++++--
 payloads/libpayload/libcbfs/ram_media.c |  6 +++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/payloads/libpayload/libcbfs/cbfs.c b/payloads/libpayload/libcbfs/cbfs.c
index 35e48dda27..2fb91bf2d2 100644
--- a/payloads/libpayload/libcbfs/cbfs.c
+++ b/payloads/libpayload/libcbfs/cbfs.c
@@ -65,8 +65,14 @@
 #if defined(CONFIG_CBFS_HEADER_ROM_OFFSET) && (CONFIG_CBFS_HEADER_ROM_OFFSET)
 # define CBFS_HEADER_ROM_ADDRESS (CONFIG_CBFS_HEADER_ROM_OFFSET)
 #else
-// Indirect address: only works on 32bit top-aligned systems.
-# define CBFS_HEADER_ROM_ADDRESS (*(uint32_t*)0xfffffffc)
+/* ugly hack: this assumes that "media" exists
+              in the scope where the macro is used. */
+static uint32_t fetch_x86_header(struct cbfs_media *media)
+{
+	uint32_t *header_ptr = media->map(media, 0xfffffffc, 4);
+	return *header_ptr;
+}
+# define CBFS_HEADER_ROM_ADDRESS fetch_x86_header(media)
 #endif
 
 #include "cbfs_core.c"
diff --git a/payloads/libpayload/libcbfs/ram_media.c b/payloads/libpayload/libcbfs/ram_media.c
index 87b5292b63..1a0500e1be 100644
--- a/payloads/libpayload/libcbfs/ram_media.c
+++ b/payloads/libpayload/libcbfs/ram_media.c
@@ -43,7 +43,11 @@ static int ram_open(struct cbfs_media *media) {
 
 static void *ram_map(struct cbfs_media *media, size_t offset, size_t count) {
 	struct ram_media *m = (struct ram_media*)media->context;
-	if (offset + count >= m->size) {
+	/* assume addressing from top of image in this case */
+	if (offset > 0xf0000000) {
+		offset = m->size + offset;
+	}
+	if (offset + count > m->size) {
 		printf("ERROR: ram_map: request out of range (0x%x+0x%x)\n",
 		       offset, count);
 		return NULL;
-- 
cgit v1.2.3