fs: cbfs: Fix out of bound access during CBFS walking through

The call to file_cbfs_fill_cache() is given with the parameter 'start' pointing to the offset by the CBFS base address, but with the parameter 'size' that equals to the whole CBFS size. During CBFS walking through, it checks files one by one and after it pass over the end of the CBFS which is 4GiB boundary it tries to check files from address 0 and so on, until the overall size the codes checked hits to the given 'size'. Fix this by passing 'start' pointing to the CBFS base address. Signed-off-by: Bin Meng <bmeng.cn@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org>
author: Bin Meng <bmeng.cn@gmail.com> 2018-12-22 01:55:49 -0800
committer: Bin Meng <bmeng.cn@gmail.com> 2018-12-31 09:42:41 +0800
commit: d94bf13c85c2773c8782bc7d6b4ac0190b5d489d (patch)
tree: 605ef95dea5e6c7fb3c5c535196120d0e88484a5 /fs/cbfs
parent: 9914c73261b198bf26df70cce8aa098f204cd763 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/cbfs/cbfs.c b/fs/cbfs/cbfs.c
index e9433252972..7b2513cb24b 100644
--- a/fs/cbfs/cbfs.c
+++ b/fs/cbfs/cbfs.c
@@ -189,8 +189,8 @@ void file_cbfs_init(uintptr_t end_of_rom)
 
 	start_of_rom = (u8 *)(end_of_rom + 1 - cbfs_header.rom_size);
 
-	file_cbfs_fill_cache(start_of_rom + cbfs_header.offset,
-			     cbfs_header.rom_size, cbfs_header.align);
+	file_cbfs_fill_cache(start_of_rom, cbfs_header.rom_size,
+			     cbfs_header.align);
 	if (file_cbfs_result == CBFS_SUCCESS)
 		initialized = 1;
 }
author	Bin Meng <bmeng.cn@gmail.com>	2018-12-22 01:55:49 -0800
committer	Bin Meng <bmeng.cn@gmail.com>	2018-12-31 09:42:41 +0800
commit	d94bf13c85c2773c8782bc7d6b4ac0190b5d489d (patch)
tree	605ef95dea5e6c7fb3c5c535196120d0e88484a5 /fs/cbfs
parent	9914c73261b198bf26df70cce8aa098f204cd763 (diff)