/* CBMEM firmware console log descriptor. */
struct cbmem_cons {
- u32 size;
+ u32 size_dont_access_after_boot;
u32 cursor;
u8 body[0];
} __packed;
#define OVERFLOW (1 << 31)
static struct cbmem_cons __iomem *cbmem_console;
+static u32 cbmem_console_size;
/*
* The cbmem_console structure is read again on every access because it may
{
u32 cursor = cbmem_console->cursor & CURSOR_MASK;
u32 flags = cbmem_console->cursor & ~CURSOR_MASK;
- u32 size = cbmem_console->size;
+ u32 size = cbmem_console_size;
struct seg { /* describes ring buffer segments in logical order */
u32 phys; /* physical offset from start of mem buffer */
u32 len; /* length of segment */
if (!tmp_cbmc)
return -ENOMEM;
+ /* Read size only once to prevent overrun attack through /dev/mem. */
+ cbmem_console_size = tmp_cbmc->size_dont_access_after_boot;
cbmem_console = memremap(physaddr,
- tmp_cbmc->size + sizeof(*cbmem_console),
+ cbmem_console_size + sizeof(*cbmem_console),
MEMREMAP_WB);
memunmap(tmp_cbmc);