summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLaszlo Ersek <lersek@redhat.com>2013-12-17 18:17:55 +0000
committerjljusten <jljusten@6f19259b-4bc3-4df7-8a09-765794883524>2013-12-17 18:17:55 +0000
commit06f1982a6498731d9ef96a16b3fcd5937f317bd8 (patch)
tree146725120da895dc289852a2b474828eb54a2c85
parent077c7aeec07361fc36f8090be46959adb7d38873 (diff)
downloadedk2-06f1982a6498731d9ef96a16b3fcd5937f317bd8.tar.gz
edk2-06f1982a6498731d9ef96a16b3fcd5937f317bd8.tar.bz2
edk2-06f1982a6498731d9ef96a16b3fcd5937f317bd8.zip
OvmfPkg: QemuFlashFvbServicesRuntimeDxe: fix out-of-LBA write access
When QemuFlashWrite() is asked to write a range that includes the last byte of the LBA, then the byte that the function uses to switch the flash device back to read mode (ROMD mode in KVM speak) actually falls out of the LBA. Normally this doesn't cause visible problems. However, if the variable store and the firmware code are backed by separate flash devices, as implemented by [Qemu-devel] [PATCH v2] hw/i386/pc_sysfw: support two flash drives http://thread.gmane.org/gmane.comp.emulators.qemu/243678 plus [edk2] [edk2 PATCH] OvmfPkg: split the variable store to a separate file http://thread.gmane.org/gmane.comp.bios.tianocore.devel/5045/focus=5046 then the READ_ARRAY_CMD not only reaches a different LBA, it reaches a different qemu device. This results in a guest reboot soon after. Fix this by ensuring that we always stay within the LBA just written when issuing READ_ARRAY_CMD. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14996 6f19259b-4bc3-4df7-8a09-765794883524
-rw-r--r--OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
index a3fe7d8741..f9c6f5c553 100644
--- a/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
+++ b/OvmfPkg/QemuFlashFvbServicesRuntimeDxe/QemuFlash.c
@@ -208,7 +208,7 @@ QemuFlashWrite (
// Restore flash to read mode
//
if (*NumBytes > 0) {
- *Ptr = READ_ARRAY_CMD;
+ *(Ptr - 1) = READ_ARRAY_CMD;
}
return EFI_SUCCESS;