loads: Block writes into LMB reserved areas of U-Boot

The loads srec loading may overwrite piece of U-Boot accidentally. Prevent that by using LMB to detect whether upcoming write would overwrite piece of reserved U-Boot code, and if that is the case, abort the srec loading. Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com> Cc: Simon Glass <sjg@chromium.org> Cc: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org>

loads: Block writes into LMB reserved areas of U-Boot
The loads srec loading may overwrite piece of U-Boot accidentally. Prevent that by using LMB to detect whether upcoming write would overwrite piece of reserved U-Boot code, and if that is the case, abort the srec loading. Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com> Cc: Simon Glass <sjg@chromium.org> Cc: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org>
Marek Vasut · Tom Rini
1 parent f47f87f257
Showing 1 changed file with 12 additions and 0 deletions Side-by-side Diff
cmd/load.c
@@ -16,6 +16,7 @@
 #include <exports.h>
 #include <flash.h>
 #include <image.h>
+#include <lmb.h>
 #include <mapmem.h>
 #include <net.h>
 #include <s_record.h>
@@ -137,6 +138,7 @@
  
 static ulong load_serial(long offset)
 {
+	struct lmb lmb;
 	char	record[SREC_MAXRECLEN + 1];	/* buffer for one S-Record	*/
 	char	binbuf[SREC_MAXBINLEN];		/* buffer for binary data	*/
 	int	binlen;				/* no. of data bytes in S-Rec.	*/
  
@@ -147,7 +149,10 @@
 	ulong	start_addr = ~0;
 	ulong	end_addr   =  0;
 	int	line_count =  0;
+	long ret;
  
+	lmb_init_and_reserve(&lmb, gd->bd, (void *)gd->fdt_blob);
+
 	while (read_record(record, SREC_MAXRECLEN + 1) >= 0) {
 		type = srec_decode(record, &binlen, &addr, binbuf);
  
  
@@ -172,7 +177,14 @@
 		    } else
 #endif
 		    {
+			ret = lmb_reserve(&lmb, store_addr, binlen);
+			if (ret) {
+				printf("\nCannot overwrite reserved area (%08lx..%08lx)\n",
+					store_addr, store_addr + binlen);
+				return ret;
+			}
 			memcpy((char *)(store_addr), binbuf, binlen);
+			lmb_free(&lmb, store_addr, binlen);
 		    }
 		    if ((store_addr) < start_addr)
 			start_addr = store_addr;
...	...	@@ -16,6 +16,7 @@
16	16	#include <exports.h>
17	17	#include <flash.h>
18	18	#include <image.h>
	19	+#include <lmb.h>
19	20	#include <mapmem.h>
20	21	#include <net.h>
21	22	#include <s_record.h>
...	...	@@ -137,6 +138,7 @@
137	138
138	139	static ulong load_serial(long offset)
139	140	{
	141	+ struct lmb lmb;
140	142	char record[SREC_MAXRECLEN + 1]; /* buffer for one S-Record */
141	143	char binbuf[SREC_MAXBINLEN]; /* buffer for binary data */
142	144	int binlen; /* no. of data bytes in S-Rec. */
143	145
...	...	@@ -147,7 +149,10 @@
147	149	ulong start_addr = ~0;
148	150	ulong end_addr = 0;
149	151	int line_count = 0;
	152	+ long ret;
150	153
	154	+ lmb_init_and_reserve(&lmb, gd->bd, (void *)gd->fdt_blob);
	155	+
151	156	while (read_record(record, SREC_MAXRECLEN + 1) >= 0) {
152	157	type = srec_decode(record, &binlen, &addr, binbuf);
153	158
154	159
...	...	@@ -172,7 +177,14 @@
172	177	} else
173	178	#endif
174	179	{
	180	+ ret = lmb_reserve(&lmb, store_addr, binlen);
	181	+ if (ret) {
	182	+ printf("\nCannot overwrite reserved area (%08lx..%08lx)\n",
	183	+ store_addr, store_addr + binlen);
	184	+ return ret;
	185	+ }
175	186	memcpy((char *)(store_addr), binbuf, binlen);
	187	+ lmb_free(&lmb, store_addr, binlen);
176	188	}
177	189	if ((store_addr) < start_addr)
178	190	start_addr = store_addr;