* [PATCH] RISC-V: fix stack clobbering in relocate_to_adr
@ 2025-09-12 8:34 Ahmad Fatoum
0 siblings, 0 replies; only message in thread
From: Ahmad Fatoum @ 2025-09-12 8:34 UTC (permalink / raw)
To: barebox; +Cc: Ahmad Fatoum
relocate_to_adr is decrementing two SZREG worth of stack space to be able
to spill two registers. An off-by-one led us to reference the word after
the reserved stack space, clobbering one word from the previous
function's stack frame unintentionally.
This this by decrementing the offsets by 1.
Signed-off-by: Ahmad Fatoum <a.fatoum@barebox.org>
---
arch/riscv/lib/setupc.S | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/riscv/lib/setupc.S b/arch/riscv/lib/setupc.S
index d225186c79fd..423de4181ea6 100644
--- a/arch/riscv/lib/setupc.S
+++ b/arch/riscv/lib/setupc.S
@@ -32,14 +32,14 @@ ENTRY(relocate_to_adr)
/* adjust return address */
sub ra, ra, a1 /* sub address where we are actually running */
add ra, ra, a0 /* add address where we are going to run */
- REG_S ra, (SZREG * 2)(sp)
+ REG_S ra, SZREG(sp)
beq a0, a1, copied /* skip if already at new address */
lla a2, copied
sub a2, a2, a1
add a2, a2, a0
- REG_S a2, (SZREG * 1)(sp)
+ REG_S a2, (sp)
lla a2, __bss_start
sub a2, a2, a1 /* a2: size */
@@ -48,10 +48,10 @@ ENTRY(relocate_to_adr)
jal sync_caches_for_execution
- REG_L a0, (SZREG * 1)(sp)
+ REG_L a0, (sp)
jr a0 /* jump to relocated address */
copied:
- REG_L ra, (SZREG * 2)(sp)
+ REG_L ra, SZREG(sp)
addi sp, sp, SZREG * 2
j relocate_to_current_adr /* relocate binary */
ENDPROC(relocate_to_adr)
--
2.47.3
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-09-12 8:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-12 8:34 [PATCH] RISC-V: fix stack clobbering in relocate_to_adr Ahmad Fatoum
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox