NAND buffer overflow
JOHN E LENZ
jelenz at students.wisc.edu
Sun Jun 27 04:38:03 EDT 2004
I was getting some wierd errors accessing NAND flash. I eventually traced the problem back to a buffer overflow in nand_read_raw. This is using the current mtd CVS linked into a 2.6.7 kernel.
Here is the senerio.
in nand_bbt.c:nand_memory_bbt function calls create_bbt with
mtd->data_buf. mtd->data_buf is of size 528
in create_bbt it calls nand_read_raw with the same buffer pointer and a readlen of 1024. Whups!
nand_read_raw drops into a loop and reads chuncks of pagesize into the buffer. pagesize is 528, but the length to read is 1056, so it calls read_buf twice. The problem is, the second call to read_buf will overflow and trash some memory since the buffer it is reading into is only 528 bytes.
The actual flash device is a Toshiba NAND 64MiB 3v3, 8-bit.
PS. I tried sending this message with my standard mail client, but it is rejected by "Message has a suspicious header" No other mailing lists I am on have problems. What is this suspicious header and why is it blocking my email. I wish the reject message would give me more information so I could actually fix the problem!!! Oh I was going to attach the hardware driver I am using to control the nand device, but I don't really have access to it from this web client.
More information about the linux-mtd