Project

General

Profile

Bug #2658

scf_get_bootconfig will indirectly stomp caller memory

Added by Rich Lowe over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
lib - userland libraries
Start date:
2012-04-27
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

When scf_read_propvec() is given a propvec_t with pv_aux set, and a boolean type it writes the result pointer as a uint64_t with the bits marked by pv_aux set to 1.

scf_get_boot_config passes a uint8_t from the caller, leading either to stomping 7 extra bytes or an alignment trap depending on platform and caller.

We should keep a uint64_t in scf_get_boot_config for scf_read_propvec to write, then return the low 8 of that.

#1

Updated by Rich Lowe over 8 years ago

  • Status changed from New to In Progress
#2

Updated by Rich Lowe over 8 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 80 to 100

Resolved in r13678 commit:8f2b5c7a4c80

Also available in: Atom PDF