NAND buffer overflow
John Lenz
jelenz at students.wisc.edu
Sun Jun 27 04:46:06 EDT 2004
I was getting some wierd errors accessing NAND flash. I eventually
traced the problem back to a buffer overflow in nand_read_raw. This is
using the current mtd CVS linked into a 2.6.7 kernel.
Here is the senerio.
in nand_bbt.c:nand_memory_bbt function calls create_bbt with
mtd->data_buf. mtd->data_buf is of size 528
in create_bbt it calls nand_read_raw with the same buffer pointer and a
readlen of 1024. Whups!
nand_read_raw drops into a loop and reads chuncks of pagesize into the
buffer. pagesize is 528, but the length to read is 1056, so it calls
read_buf twice. The problem is, the second call to read_buf will
overflow and trash some memory since the buffer it is reading into is
only 528 bytes.
I have attached the hardware driver I am using in case I am doing
something wrong...
The actual flash device is a Toshiba NAND 64MiB 3v3, 8-bit.
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sharp_sl.c
Type: text/x-csrc
Size: 4968 bytes
Desc: not available
Url : http://lists.infradead.org/pipermail/linux-mtd/attachments/20040627/ca2c5137/attachment.bin
More information about the linux-mtd
mailing list