From fcb78657a22229e7edd3a144a346a2286b0c8702 Mon Sep 17 00:00:00 2001
From: Andre Przywara <osp@andrep.de>
Date: Fri, 3 Nov 2023 00:58:04 +0000
Subject: fel: sid: fix stack overflow while reading from SID

When reading from the SID device using the normal memory access method,
we upload our "readl" routine (via fel_readl_n()), which expects a number
of *words* to read. However length is given in *bytes*, so we read four
times as much, and overflow our key buffer, clobbering the return address.
This is typically fatal:
===============
$ ./sunxi-fel sid
02c05200:12345678:34567890:76543210
Segmentation fault (core dumped)
$
===============

Fix this by giving the number of (32-bit) words instead. We already
checked that length is a multiple of 4, so we can just divide.

Signed-off-by: Andre Przywara <osp@andrep.de>
---
 fel_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fel_lib.c b/fel_lib.c
index dfb8e98..b1c4ae8 100644
--- a/fel_lib.c
+++ b/fel_lib.c
@@ -623,7 +623,7 @@ int fel_read_sid(feldev_handle *dev, uint32_t *result,
 	else
 		/* Read SID directly from memory */
 		fel_readl_n(dev, soc->sid_base + soc->sid_offset + offset,
-			    result, length);
+			    result, length / 4);
 	return 0;
 }
 
-- 
cgit v1.2.3